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Preface 



This volume contains the papers presented at the 3rd International Symposium 
on Foundations of Information and Knowledge Systems (FoIKS 2004), which was 
held in Castle Wilhelminenberg, Vienna, Austria, from February 17tlr to 20th, 
2004. 

FoIKS is a biennial event focussing on theoretical foundations of information 
and knowledge systems. It aims at bringing together researchers working on the 
theoretical foundations of information and knowledge systems and attracting 
researchers working in mathematical fields such as discrete mathematics, com- 
binatorics, logics, and finite model theory who are interested in applying their 
theories to research on database and knowledge base theory. 

FoIKS took up the tradition of the conference series Mathematical Funda- 
mentals of Database Systems (MFDBS) which enabled East- West collaboration 
in the field of database theory. The first FoIKS symposium was held in Burg, 
Spreewald (Germany) in 2000, and the second FoIKS symposium was held in 
Salzau Castle (Germany) in 2002. Former MFDBS conferences were held in Dres- 
den (Germany) in 1987, Visegrad (Hungary) in 1989, and in Rostock (Germany) 
in 1991. Proceedings of these previous events were published by Springer-Verlag 
as volumes 305, 364, 495, 1762, and 2284 of the LNCS series, respectively. 

In addition the FoIKS symposium was intended to be a forum for intensive 
discussions. For this reason the time slots for long and short contributions were 
50 and 30 minutes, respectively, followed by 20 and 10 minutes for discussions, 
respectively. Furthermore, participants were asked in advance to prepare to act 
as correspondents for the contributions of other authors. There were also special 
sessions for the presentation and discussion of open research problems. 

The FoIKS 2004 call for papers solicited contributions dealing with any fo- 
undational aspect of information and knowledge systems, e.g., 



— mathematical foundations: discrete methods, boolean functions, finite model 
theory 

— database design: formal models, dependency theory, schema translations, 
desirable properties 

— query languages: expressiveness, computational and descriptive complexity, 
query languages for advanced data models, classifications of computable que- 
ries 

— semi-structured databases and WWW: models of Web databases, querying 
semi-structured databases, Web transactions and negotiations 

— security in data and knowledge bases: cryptography, steganograplry, infor- 
mation hiding 
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— integrity and constraint management: verification, validation, and enforce- 
ment of consistency, triggers 

— information integration: heterogenous data, views, schema dominance and 
equivalence 

— database and knowledge base dynamics: models of transactions, models of 
interaction, updates, consistency preservation, concurrency control 

— intelligent agents: multi-agent systems, autonomous agents, foundations of 
software agents, cooperative agents 

— logics in databases and AI: non-classical logics, spatial and temporal logics, 
probabilistic logics, deontic logic, logic programming 

— knowledge representation: planning, description logics, knowledge and belief, 
belief revision and update, non-monotonic formalisms, uncertainty 

— reasoning techniques: theorem proving, abduction, induction, constraint sa- 
tisfaction, common-sense reasoning, probabilistic reasoning, reasoning about 
actions. 

The programme committee received 64 submissions. Each paper was carefully 
reviewed by at least two experienced referees, and most of the papers were re- 
viewed by three referees. Fourteen papers were chosen for long presentations 
and four papers for short presentations. This volume contains versions of these 
papers polished based on the comments made in the reviews. A few papers will 
be selected for further extension and publishing in a special issue of the journal 
Annals of Mathematics and Artificial Intelligence. 

We would like to thank all authors who submitted papers and all workshop 
participants for the fruitful discussions. We are grateful to the members of the 
programme committee and the external referees for their timely expertise in ca- 
refully reviewing the papers, and we would like to express our thanks to our hosts 
for the beautiful week in the pleasant surroundings of Castle Wilhelminenberg 
near Vienna. 
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Hypergraph Transversals 



Georg Gottlob 

Institut fur Informationssysteme, Technische Universitat Wien 
Favoritenstrafie 9-11, A-1040 Wien, Austria 
gottlobOdbai . tuwien . ac . at 



Hypergraplr Transversals have been studied in Mathematics for a long time, 
cf. [2] . Generating minimal transversals of a hypergraplr is an important problem 
which has many applications in Computer Science, especially in database Theory, 
Logic, and AI. We briefly survey some results on problems which are known to 
be related to computing the transversal hypergraplr, where we focus on problems 
in database theory, propositional Logic and AI (for a more detailed survey and 
further references cf. [10]). 

A hypergraph 77 = ( V , E) consists of a finite collection E of sets over a finite 
set V. The elements of E are called hyperedges , or simply edges. A transversal 
(or hitting set) of 'H is a set T C V that meets every edge of E. A transversal 
is minimal , if it does not contain any other transversal as a subset. The set 
T of all minimal transversals of 77 = (V) E), constitutes together with V also a 
hypergraplr TV (77 ) = (V, T), which is called the transversal hypergraph of 77. The 
famous Transversal Hypergraph Problem (TRANS-HYP) is then as follows: Given 
two lrypergraphs Q = (V, E) and 77 = ( V, F) on a finite set V, decide whether Q = 
7r(77) holds. The corresponding computation problem is called Transversal 
Enumeration (TRANS-ENUM) and is phrased as follows: Given a hypergraplr 
77 = ( V , E) on a finite set V, compute the transversal hypergraplr 7r(77). 

From the point of computability in polynomial time, the decisional and the 
computational variant of the transversal hypergraplr problem are in fact equiva- 
lent: It is known that, for any class C of lrypergraphs, TRANS-ENUM is solvable 
in polynomial total time (or output-polynomial time), i.e., in time polynomial in 
the combined size of 77 and 7V(77), if and only if TRANS-HYP is in the class P 
for all pairs (' H,G ) such that 77 € C [3]. 

The precise complexity of TRANS-HYP is not known to date, and is in fact 
open for more than 20 years now. Accordingly, it is unknown whether TRANS- 
ENUM can be solved in output-polynomial time. 

The problems TRANS-HYP and TRANS-ENUM have a large number of ap- 
plications in many areas of Computer Science, including Distributed Systems, 
Databases, Boolean Circuits and Artificial Intelligence. There, they have impor- 
tant applications in Diagnosis, Machine Learning, Data Mining, and Explanation 
Finding, see e.g. [9,12,17,20,21,22,24] and the references therein. 

We call a decision problem 77 TRANS- KYP-hard, if problem TRANS-HYP can 
be reduced to it by a standard polynomial time transformation. Furthermore, 
77 is TRANS-HYP-compfete, if 77 is TRANS-HYP-harcl and, moreover, 77 can be 
polynomially transformed into TRANS-HYP; that is, 77 and TRANS-HYP are 
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equivalent modulo polynomial time transformations. We use analogous termi- 
nology of TRANS-ENUM-Ziandness and TRANS-ENUM-compZefeness for compu- 
tations problems, i.e., problems with output (for more details, cf. [10]). 

Let us first discuss issues of structural complexity. In a landmark paper, 
Fredman and Khachiyan [15] proved that TRANS-HYP can be solved in time 
n °(iogn)^ anc [ thus in quasi-polynomial time. This shows that the problem is most 
likely not co-NP-complete, since no co-NP-complete problem is known which is 
solvable in quasi-polynomial time; if any such problem exists, then all problems 
in NP and co-NP can be solved in quasi-polynomial time. 

A natural question is whether TRANS-HYP lies in some lower complexity 
class based on other resources than just runtime. In a recent paper [11], it was 
shown that the complement of this problem is solvable in polynomial time with 
limited nondeterminism, i.e, by a nondeterministic polynomial-time algorithm 
that makes only a poly-logaritlrmic number of guesses in the size of the input. 
For a survey on complexity classes with limited nondeterminism, and for several 
references see [18]. More precisely, [11] shows that non-duality of a pair t/,"H) can 
be proved in polynomial time with 0(x(n) • logn) suitably guessed bits, where 
x(n) is given by x( n ) x( ' n ' > = n \ note that x( n ) = o(logn). 

This result is surprising, because most researchers dealing with the com- 
plexity of the transversal lrypergraplr thought so far that these problems are 
completely unrelated to limited nondeterminism. 

A large number of tractable restrictions of TRANS-HYP and TRANS-ENUM 
are known in the literature, e.g. [7,5,4,8,9,13,11,16,23,27], and references therein. 

Examples of tractable classes are instances {%, Q) where H has the edge 
sizes bounded by a constant, or where Ti. is acyclic. Various “degrees” of lry- 
pergraph acyclicity have been defined in the literature [14]. The most general 
notion of lrypergraplr acyclicity (applying to the largest class of hypergraplrs) is 
a-acyclicity; less general notions are (in descending order of generality) (3-, 7-, 
and Berge-acyclicity (see [14]). In [9], it was shown that Hypergraph transversal 
instances with /3-acyclic H are tractable. In [11], this tractability result has been 
recently improved to instances where Ti is a-acyclic and simple. This result is a 
corollary to a more general tractability result for hypergraplrs whose degeneracy 
is bounded by a constant; simple, a-acyclic hypergraplrs have degeneracy 1. 

Furthermore, [11] shows that instances ( 7~L,G ) of TRANS-HYP where the 
vertex-hyperedge incidence graphs of % (or of Q) have bounded treewidth are 
solvable in polynomial time. 

In the sequel, we mention a few problems closely related to TRANS-HYP 
or TRANS-ENUM. These and many other such problems are discussed in detail 
in [10,9]. 

Functional Dependency Inference 

Given a database relation instance r and a set of functional dependencies (FDs) 
F, deciding whether F characterizes precisely the FDs holding on r, i.e., deciding 
whether F + is identical with the set FD(r) of all FDs valid on r, is TRANS-HYP- 
lrard and in co-NP. The precise complexity is currently open. The same problem 




Hypergraph Transversals 



3 



becomes TRANS-HYP-complete if F is in Boyce-Codd Normal Form (BCNF), 
i.e., iff all left hand sides of the FDs in F are keys. Given a relation instance r, 
generating a cover F of FDs suchthat F + = FD(r) is TRANS- ENUM-lrarcl. Vice- 
versa, given a set F, generating a so-called Armstrong relation, i.e., a relation 
instance r incorporating precisely all FDs of F + is also TRANS-ENUM hard. 
For more details on the Dependency Inference problem and on related problems 
cf. [24,25,19,26,10], as well as the extended version of [9]. 



Data Mining: Maximal Frequent Sets 

Given a 0/1 to x n matrix A and an integral threshold t, associate with each sub- 
set C C (1, . . . , n} of column indices the subset R{C) of all rows r £ {1, . . . , to } in 
A such that A(r, j) = 1 for every j £ C. Then C is called frequent , if |i?(C)| > t, 
and C is called infrequent, if |i?(C)| < t. Let us denote by F t (A) and F t {A) the 
sets of all frequent and infrequent column sets C in A, respectively. 

The generation of frequent and infrequent sets in A is a key problem in 
knowledge discovery and data mining, which occurs in mining association rules, 
correlations, and other tasks. Of particular interest are the maximal frequent 
sets M t C F t and the minimal infrequent sets It C F t , since they mark the 
boundary of frequent sets (both maximal and minimal under set inclusion) . The 
following result has been recently proved in [6]: The problem of computing, given 
a 0/1 matrix A and a threshold t, the sets M t and I t is TRANS-ENUM-corapfefe. 



Theory Approximation: Horn Envelope 

A logical theory E is Horn, if it is a set of Horn clauses, i.e., disjunctions l\ V 
• • - Vl m of literals It such that at most one of them is positive. Semantically, Horn 
theories are characterized by the property that their set of models, mod(E), is 
closed under intersection, i.e., M,M' £ mod(E) implies M AM' £ mod(E)- 
here, M fi M' is the model M" which results by atomwise logical conjunction of 
M and M' , i.e., M" |= a iff M |= a and M' |= a, for every atom a. 

Any theory E has a unique Horn envelope, which is the strongest (w.r.t. im- 
plication) Horn theory E' such that E \= E' . The Horn envelope might be rep- 
resented by different Horn theories, but there is a unique representation, which 
we denote by HEnv{E), which consists of all prime clauses of E' . The following 
result was established in [22], where the TRANS-ENUM hardness part was proved 
in [21]: The problem of computing, given the models mod(E) of a propositional 
theory E, the Horn envelope HEnv(E) is TRANS-ENUM-corapfete. 



Dualization of Boolean Functions 

There is a well-known and close connection of TRANS-ENUM to the well-known 
dualization problem of Boolean Functions: given a CNF <p of a Boolean function 
/, compute a prime CNF ip of its dual f d , i.e., the function which has value 
1 in input vector b = (b\, . . . ,b n ) iff / has value 0 on the input vector b = 
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(&i® 1, . . . , &„® 1). Special algorithms for the dualization problem can be tracked 
down at least to the 60’s of the past century, cf. [1]. It is not hard to see that this 
problem is intractable; in fact, its decisional varian Dual which given two CNFs 
ip and %l> of Boolean functions / and g , respectively, consists in deciding whether 
ip and if represent a pair (/, g) of dual Boolean functions is co-NP-complete, 
where hardness holds even if if is asserted to be a prime CNF of g. 

In case of monotone Boolean functions, the dualization problem is equiva- 
lent to determining the transversal lrypergraplr. Let Monotone Dualization 
designate the subcase of Dualization where / is a monotone Boolean function, 
and similarly Monotone Dual the subcase of Dual where / is a monotone 
Boolean function. 

The following statement summarizes well-known results that are part of 
the folklore: Monotone Dualization is TRANS-ENUM-corapZefe, and Mono- 
tone Dual is TRANS-HYP-compfete. For a proof see [10]. 



Restricted Versions of the Satisfiability Problem 

We denote by IMS AT (Intersecting Monotone SAT) the restriucted version of 
the classical SAT problem where each clause contains either only positive literals 
or only negative literals, and where every pair of a positive and a negative clause 
resolves, i.e., there is at least one atom which occurs unnegated in the positive 
clause and negated in the negative claues. The following holds [9,10]: IMS AT 
is co-TRANS-HYP-compZefe. This complexity result holds even if we restrict 
IMSAT instances to clause sets C where the negative clauses are precisely all 
clauses C~ such that C~ = {-■«:«£ C + } for some positive clause C + £ C. 
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Abstract State Machines: An Overview of the 

Project 



Yuri Gurevich 
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Abstract. This is an extended abstract of an invited talk at the Third 
International Symposium on Foundations of Information and Knowledge 
Systems to be held in Vienna, Austria, in February 2004. 

We quickly survey the ASM project, from its foundational roots to in- 
dustrial applications. 



1 Prelude 

The ASM project started as a foundational investigation by this theorist in the 
mid 1980s at the University of Michigan. In the 1990s, a community of ASM- 
ers formed, see the ASM academic website [1], and several engines to write 
and execute abstract state machines were developed. Siemens was the first large 
company to use such engines. In 1998, Microsoft Research invited this theorist 
to build a group on Foundations of Software Engineering (FSE) and to apply the 
ASM theory. We sketch these developments stressing the foundational issues. 

A draft of the talk, in the form of Power-Point slides, was written first; hence 
the choppy character of this hastily written extended abstract. 

Many thanks to Andreas Blass and Jon Jacky for useful comments. 

2 The Original Foundational Problem 

What is computer science about mathematically speaking? To elucidate the 
question, let’s compare computer science to physics. The physicists use partial 
differential equations (PDEs) to model the physical world. What mathematics 
should play the role of PDEs in computer science? 

The world of computer science is much different from that of physics. The 
precise state of a physical system is an abstraction, but the state of a computer 
(as a digital rather than physical system) is examinable. Much of physics is 
devoted to continuous processes where the very next state of the process does 
not exist. Computer scientists are interested primarily in discrete processes where 
the next state is well defined (unless the process stops). Here we concentrate on 
discrete processes exclusively. 

Computer science isn’t even a natural science: we study the artificial world of 
computers. Imagine intelligent visitors from a distant planet. Their mathematics 
and physics are probably similar to ours, but their computers and therefore their 
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computer science may be vastly different. And yet there is something objective 
(and going beyond the classical analysis of which functions are computable) 
about computations that is worth exploring. 

2.1 Dynamics 

The classical mathematical approach to deal with dynamics is to reduce it to 
statics. Instead of analyzing motion directly, mathematicians analyze the history 
of motion. Your (for simplicity, ordinary) differential equations may speak about 
dx/dt , dy/dt, . . . where t is time, and so you seemingly study a process develop- 
ing in time. But a simple coordinate transformation allows you to rewrite your 
equations in terms of dt/dx,dy/dx , . . . , and now the process develops along a 
spatial line rather than the time line. This shows that time is just another dimen- 
sion in the perfectly static history of the process. In that sense your (possibly 
most fruitful) analysis is sort of an autopsy. 

This reduction of dynamics to statics does not come for free. We illustrate this 
on the case of a program with three integer variables aq, X 2 , £3 that goes from the 
initial state Ao to states X\, A 2 , .... If we make the (logical) time explicit (so 
that the state at time t is X t ), then every Xi is a function Xi{t ) of t. For simplicity, 
we assume that every state X t is uniquely defined by the values aq(t), aq^), x^(t). 
Every aq(t + 1) depends on X t and therefore on aq (f ) , aq (f ) , £3 (t) . Even if the 
original program was simple, the derived system of equations may be hard. 

The ingenious mathematical analysis fakes a discretization of a continuous 
process and concentrates on the relation between the current state (at time t) 
and the “next state” (at time t+dt). We don’t have to fake discretization because 
we deal with discrete processes to begin with. 

Let’s start our analysis of algorithms with algorithms that work in sequential 
time. The term algorithm is understood broadly; every computer system at any 
fixed abstraction level is an algorithm. A sequential time algorithm starts in 
some state X 0 and proceeds to states X\, X 2 , 

Postulate 1 (Sequential Time [10]) The behavior of a sequential time algo- 
rithm is determined by the set of states, the subset of initial states, and the state 
transition function. 

Remark 1 Shouldn’t it be the state transition relation rather than the state 
transition function? By default, an algorithm is deterministic. (One can argue 
that algorithms are intrinsically deterministic; see [10, Section 9] in this con- 
nection.) But nondeterministic algorithms (and nondeterministic abstract state 
machines) make appearance in the sequel. 

A finite state machine is an example of sequential time algorithm. In general, 
a sequential time algorithm is a finite state machine or an infinite state machine. 
The computation theory offers us the universal Turing machine [13]. But it is 
clearly inadequate to describe arbitrary sequential time algorithms succinctly. 
Can one improve on Turing’s machine? 
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2.2 Statics 

It occurred to us early on that every static mathematic reality can be described 
as a structure in the sense of mathematical logic, that is a set with operations and 
relations. Next time you talk to a mathematician, ask him what he is working 
on. Whether lre/she works with graphs or Banach spaces or whatever, it surely 
will be some kind of structures. This insight eventually gave rise to the Abstract 
State Postulate. We give here only an abbreviated version of the postulate. 

Postulate 2 (Abstract State [10]) The states of an algorithm are structures 
of a fixed vocabulary. . . . 

The vocabulary is intrinsic to the algorithm itself and does not depend on 
the input or state. The current state contains all other information that the 
algorithm needs to continue the computation. 

Remark 2 We use the notion of structure in a slightly unorthodox way. We 
presume that the base set of every structure contains the ideal elements true 
and false and that predicates are operations taking value in {true .false}. 
It follows that our states are algebras in the sense of the science of universal 
algebra. 

3 Abstract State Machines 

What is the true state of a program in, say, the C programming language? Often, 
they tell you that the state is given by the values of its variables. This is not 
true. You need to know also the procedure stack and where the program counter 
is. 

The Key Observation. With fully transparent states (defined exclusively by 
the values of the variables) , a simple programming language suffices to program 
transitions. 

Note that the state of a C program can be made fully transparent by means of 
auxiliary variables [11]. The same applies to every other programming language. 
The key observation led to the definition of abstract state machines, or ASMs. 

Remark 3 We view a computation as an evolution of the state. According to 
the abstract state postulate and Remark 1, states are algebras. Hence the original 
name “evolving algebras” for abstract state machines. 

We consider three categories of algorithms: sequential, (synchronous) paral- 
lel, and distributed. The definition of sequential ASMs was formulated in [8]. 
The definitions of parallel ASMs and distributed ASMs were formulated in [9]. 
Numerous examples of ASMs are found on the academic ASM site [1]. In the 
talk we illustrate ASM definitions by means of examples. 
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4 The Foundational Ambition of the ASM Project 

The ASM Thesis. Every algorithm is an ASM as far as the behavior is 
concerned. In particular the given algorithm can be step-for-step simulated by an 
appropriate ASM. 

This bold (impudent?) thesis was formulated in [9]. Recall that the notion 
of algorithm is understood broadly: every computer system at a fixed level of 
abstraction is an algorithm. 

4.1 Theoretical Confirmation of the ASM Thesis 

Intuitively, a sequential algorithm is a sequential time algorithm with steps of 
bounded complexity. In the presence of the sequential time postulate and the 
abstract state postulate, an additional Bounded Exploration Postulate expresses 
that the steps of any sequential algorithm have bounded complexity. 

In [10], a sequential algorithm is defined as anything that satisfies these three 
postulates: the sequential time postulate, the abstract state postulate, and the 
bounded exploration postulate. Sequential ASMs are sequential algorithms of 
course. Two sequential algorithm are behaviorally identical if they have the same 
states, the same initial states and the same state transition function. 

Theorem 1 (Sequential Characterization Theorem [10]) For every se- 
quential algorithm, there is a behaviorally identical sequential ASM. 

In [4] , a parallel algorithm is defined as anything satisfying the sequential time 
postulate, the abstract state postulate, and several other postulates describing 
how the parallel subprocesses communicate with each other. The definition of 
parallel ASMs in [4] is a variant of that in [9]. In either version, parallel ASMs 
are parallel algorithms. 

Theorem 2 (Parallel Characterization Theorem [4]) For every parallel 
algorithm, there is a behaviorally identical parallel ASM. 

The problem of characterizing distributed algorithms by suitable postulates 
is open. 

4.2 ASMs and Hardware/Software Specifications 

By the ASM thesis, ASMs are appropriate for modeling of arbitrary computer 
systems on given levels of abstraction. You can model existing or future sys- 
tems; in other words, you can use ASMs to specify how hardware or software 
is supposed to function at a given level of abstraction. These specifications are 
executable. (Practical ASM languages typically use declarative means as well: 
preconditions, postconditions, invariants, and so on.) The executability of speci- 
fication makes it much more useful. It allows you to address the following crucial 
questions. 
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1. Does the specification satisfy the requirements? 

2. Does the implementation satisfy the specification? 

4.3 Experimental Confirmation of the ASM Thesis 

A substantial amount of experimental confirmation of the thesis is found at the 
academic ASM website [1]; see also books [5,12]. In most cases people use ASMs 
not to check the thesis but to achieve their own goals; typically they use ASMs 
for modeling/specification purposes. But in the process they find out that ASMs 
suffice for their modeling purpose. In cases when Theorems 1 or 2 apply, a direct 
ASM simulation of a given piece of software or hardware may be more elegant 
than the generic simulation obtained from the proofs of Theorems 1 or 2. 

One particularly impressive example of the ASM usage in academia is a 
large distributed ASM that gives the official dynamic semantics for SDL, the 
Specification and Description Language of the International Telecommunication 
Union [6]. Another impressive example is [12]. 

The use of ASMs at Microsoft is (very partially) reflected at [2] . 

5 AsmL, the ASM Language 

ASMs are mathematical machines executable in principle. This is not good 
enough for applications. One needs practical engines to write down and exe- 
cute ASMs. By the time I joined Microsoft, several ASM engines were in use. 
Siemens used ASM Workbench designed by Giuseppe Del Castillo at the Uni- 
versity of Paderborn, Germany, as well as ASM Gopher designed by Joachim 
Schmid and Wolfram Schulte at the University of Ulm, Germany. Matthias An- 
lauff designed XASM at the Technical University of Berlin, Germany; since then 
Matthias moved to Kestrel, Palo Alto, CA, and XASM became an open-source 
ASM tool. More information about these and other ASM tools is found at [1]. 

Currently, the most powerful ASM engines are those developed by the Foun- 
dation of Software Engineering group at Microsoft Research. One of them is 
called AsmL, an allusion to ASM Language. AsmL can be downloaded from 
the AsmL website [2] and used for academic purposes. The site contains various 
auxiliary materials. 



5.1 Features of AsmL 

AsmL has a strong mathematical component. In particular, sets, sequences, maps 
and tuples are available as well as set comprehension {e(x) \ x £ r \ <j)(x)}, 
sequence comprehension and map comprehension. 

AsmL is fully object oriented. 

The crucial features of AsmL, intrinsic to ASMs, are massive synchronous 
parallelism and finite choice. ASMs steps are transactions, and in that sense 
AsmL programming is transaction programming. 
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AsmL is fully integrated into the .NET framework which provides inter- 
operability with great many languages and tools. 

Literate programming via MS Word and automated programming via XML 
are provided. The demo, mentioned below, demonstrates literate programming 
among other things. The whole article [7] is in fact an AsmL document. 

Here are some additional features of AsmL. 

— Advanced type system: disjunctive types, semantic subtypes, generics, 

— Pattern matching for structures and classes, 

— Intra-step communication with outside world and among submachines, 

— Reflection over execution, 

— Data access, structural coverage, 

— State as first class citizen, 

— Processes (coming). 

The AsmL compiler is written in AsmL. 

5.2 Specifications vs. Prototypes 

It is often argued that specifications are mere prototypes. Of course, specifica- 
tions are prototypes but good specifications are more than that. They present 
a consistent high-level description of the system abstracting away irrelevant de- 
tails. They describe what might happen and what must not happen. And they 
are not quickly destroyed and thrown away; instead they continue to serve as 
important documentation. 

Here is an example that makes this point; the example comes with the AsmL 
distribution. The task is to specify in-place sorting that proceeds one swap at a 
time and always advances. Here is an AsmL program that does that. 

var A as Seq of Integer = [3,1,2] 

SwapO 

choose i,j in Indices (A) 
where i<i and A ( i ) >A ( i ) 

A(i) := A(j) 

A(j) := A(i) 

Sort () 

step until fixpoint 
Swap ( ) 

The program is self-explanatory with one exception: the last two lines of the 
Swap procedure are executed in parallel so that there is no need to save the 
value of A(i). In AsmL, parallelism is a default; you pay a syntactic price for 
sequentiality. 

The sorting algorithm of the program is not efficient but it is the most general 
algorithm for the purpose. Any other in-place sorting algorithm that proceeds 
one swap at a time and always advances is a specialization of our algorithm. 
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5.3 A Demo 

A demonstration of AsmL is planned for the talk. 



6 Requirements, Specifications, and Implementations 

Consider the development of a new piece of software (or maybe a new version of 
an old piece). A product idea gives rise to a (typically informal) description of 
the product formulating various requirements that the product is supposed to 
satisfy. This description is the starting point for writing a design specification. 
Eventually the specification is implemented. 



6.1 Does the Specification Satisfy the Requirements? 

The question can be restated thus: how to debug the specification? Whether 
specification is declarative or executable, it is important that it is readable. But 
if the specification is executable, you can play out various scenarios. In the case 
of AsmL specification, given a few properties of the specification, the AsmL tool 
allows you to automatically derive a finite state machine that abstracts from 
other properties [7]. The finite state machine can be used to produce test suites 
and for model checking. 



6.2 Does the Implementation Satisfy the Specification? 

The question really is how to enforce the specification? To make the problem a 
bit more concrete, imagine that our product is just an API, that is an application 
programming interface, that reacts to particular actions. 

If the specification is deterministic, run a sequence of actions on the API 
specification and record the reactions; the result can be used as an oracle against 
which to test the implementation or implementations. 

However, specifications tend to be highly non-deterministic. The sorting spec- 
ification above is a good example. You cannot use it to produce an oracle for 
conformance testing. To deal with this more general situation, a different and 
much more subtle approach is being used by the group of Foundations of Soft- 
ware Engineering [3]. We plan to illustrate the approach in the talk. 



7 Postlude 

We hope that the story of the ASM project will support the maxim that there 
is nothing more practical than good theory. 
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Abstract. We introduce a simple and practically efficient method for 
repairing inconsistent databases. The idea is to properly represent the 
underlying problem, and then use off-the-shelf applications for efficiently 
computing the corresponding solutions. 

Given a possibly inconsistent database, we represent the possible ways 
to restore its consistency in terms of signed formulae. Then we show 
how the ‘signed theory’ that is obtained can be used by a variety of 
computational models for processing quantified Boolean formulae, or by 
constraint logic program solvers, in order to rapidly and efficiently com- 
pute desired solutions, i.e., consistent repairs of the database. 



1 Introduction 

In this paper we consider a uniform representation of repairs of inconsistent rela- 
tional databases, that is, a general description of how to restore the consistency 
of databases instances that do not satisfy a given set of integrity constraints. 
We then show how this description can be used by a variety of computational 
methodologies for efficiently computing database repairs, i.e., new consistent 
database instances that differ from the original database instance by a minimal 
set of changes (with respect to set inclusion or set cardinality). 

Reasoning with inconsistent databases has been extensively studied in the 
last few years, especially in the context of integrating (possibly contradicting) 
independent data-sources . 1 In this paper we introduce a novel representation of 
the repair problem as a theory that consists of what we call signed formulae. 
Then we illustrate how off-the-shelf computational systems can use the theory 
to solve the problem, i.e., to compute repairs of the database. Here we apply two 
types of tools for repairing a database: 

— We show that the problem of finding repairs with minimal cardinality for 
a given database can be converted to the problem of finding minimal Her- 
brancl models for the corresponding ‘signed theory’. Thus, once the process 

1 See., e.g., [1,4,9,10,13,14,19,20,23] for more details on reasoning with inconsistent 
databases and further references to related works. 
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for consistency restoration of the database has been represented by a signed 
theory (using a polynomial transformation), tools for minimal model com- 
putations (such as the Sicstus Prolog constraint solver [12], or the answer 
set programming solver dlv [15]) can be used to efficiently find the required 
repairs. 

— For finding repairs that are minimal with respect to set inclusion, satisfi- 
ability solvers on appropriate quantified Boolean formulae (QBF) can be 
utilized. Again, we provide a polynomial-time transformation to (signed) 
QBF theories, and show how QBF solvers [5,11,16,17,18,21,26] can be used 
to restore the database consistency. 

The rest of the paper is organized as follows: In the next section we formally 
define the underlying problem and in Section 3 we show how to represent it 
by signed formulae. In Sections 4 and 5 we show how constraint solvers for 
logic programs and quantified Boolean formulae can be utilized for computing 
database repairs based on the signed theories. In Section 6 we present some 
experimental results, and in Section 7 we conclude with some further remarks 
and observations. 



2 Database Repairs 

Let L be a first-order language, based on a fixed database schema S and a 
fixed domain D. Every element of D has a unique name. A database instance V 
consists of atoms in the language L that are instances of the schema S. As such, 
every database instance V has a finite active domain, A{V), which is a subset 
of D. 

A database is a pair ( V,XC ), where V is a database instance, and IC, the set 
of integrity constraints , is a finite and classically consistent set of formulae in 
L. Given a database V B = ( V,XC ), we apply to it the closed word assumption, 
so only the facts that are explicitly mentioned in V are considered true. The 
underlying semantics of a database ( T>,IC ) corresponds, therefore, to the least 
Herbrand model of V (notation: XL 0 ), i.e. , the model of V that assigns true to all 
the ground instances of atomic formulae in V, and assigns false to all the other 
atoms. 

Given a database VB = (D,IC), let 

VB a = V U XC A = V U {p(ip) | ip e 1C, p: var(ip) -> A(V)}, 

where p is a ground substitution of variables to the individuals of A(V), the 
active domain of V. 2 VB A is called the Herbrand expansion of VB. As V, XC , 
and A(V) are all finite sets, VB A is also finite, and so = {pi,P 2 , ■ ■ ■ ,Pn}, 
the set of the (ground) atomic formulae that appear in VB A , is finite as well. In 

2 Thus, e.g., p(\/x ip{x)) = ip(pi) A ... A ip(p n ) and p( 3x ip(x)) = tp{pi) V ... V ip(p n ), 
where pi,. . . ,p n are the elements of A{T>)\ the transformation for other formulae is 
standard. 
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what follows we shall assume that the databases are grounded w.r.t. their active 
domains, therefore we shall omit the superscripts of XC A and VB A . 

We say that a formula if follows from a database instance T> (notation: 
T> \= ip) if the minimal Herbrand model of V is also a model of if. A database 
T>B = (V,IC) is consistent if every formula in IC follows from T> (notation: 

V \=ic). 3 

Given a possibly inconsistent database, our goal is to restore its consistency, 
i.e., to ‘repair’ the database: 

Definition 2.1. An update of a database VB = (V,IC) is a pair (Insert, Retract), 
s.t. Insert fl V = 0 and Retract C V. 4 A repair of DB is an update of VB, for 
which (V U Insert \ Retract, IC) is a consistent database. 

Intuitively, a database is updated by inserting the elements of Insert and 
removing the elements of Retract. An update is a repair when the resulting 
database is consistent. Note that if VB is consistent, then (0, 0) is a repair of 

VB. 

Example 2.1. Let VB = ( {P(a)} , {Vx(P(;r) —1 Q(x))} ). Clearly, this database 
is not consistent. The Herbrand expansion of VB is ({P(a)}, (P(a) —> Q(a)}), 
and it has three repairs, namely 1Z i = ({},{P(a)}), P 2 = ({Q(a)},{}), and 
P -3 = ({Q(a)}, {P(a)}) that correspond, respectively, to removing P(a) from 
the database, inserting Q{a) to the database, and performing both actions si- 
multaneously. 

Note that as the underlying semantics is determined by Herbrand interpreta- 
tions, the Domain Closure Assumption 5 is implicit here, and should be regarded 
as another constraint that should be satisfied by every repair. Therefore, e.g., 
({<5(6)}, {P(a)}) is not a repair of VB in this case, for any b ^ a. Another 
implicit assumption, induced by the use of Herbrand semantics, is that Clark’s 
equality axioms are satisfied, and so the elements of S' 013 are all different. 

As the example above shows, there are many ways to repair a given database, 
some of them may not be very natural or sensible. It is usual, therefore, to specify 
some preference criterion on the possible repairs, and to apply only those that 
are (most) preferred with respect to the underlying criterion. The most common 
criteria for preferring a repair (Insert, Retract) over a repair (Insert', Retract') are 
set inclusion [1,4,9,10,14,19,20], i.e., 

(Insert, Retract) <j (Insert', Retract'), if Insert U Retract C Insert' U Retract', 

or minimal cardinality [4,13,23], i.e., 

(Insert, Retract) < c (Insert', Retract'), if |lnsert| + |Retract| < 1 1 nsert' | + |Retract'|. 

3 That is, there is no integrity constraint that is violated in T>. 

4 Note that by conditions (1) and (2) it follows that Insert n Retract = 0. 

5 Namely, that the domain of every variable is in the set S T>B of the ground atoms 
that appear in VB. 
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Both criteria above reflect the intuitive feeling that a ‘natural’ way to repair an 
inconsistent database should require some minimal amount of changes, therefore 
the recovered data is kept ‘as close as possible’ to the original one. According 
to this view, for instance, each one of the repairs IZi and IZ 2 of Example 2.1 
is strictly better than IZ 3 . Note also, that (0,0) is the only <j-preferred and 
< c -preferred repair of consistent databases, as expected. 



3 Representation of Repairs by Signed Formulae 



In what follows we represent (preferred) repairs in terms of what we call ‘signed 
formulae’. Then we incorporate corresponding solvers in order to compute the 
repairs. 

For every (ground) atom p £ E VB we introduce a new atom, s p , intuitively 
understood as ‘switch p\ or ‘change the status of p\ that is, s p holds iff p £ 
Insert U Retract. For every integrity constraint ip £ TC we define a new formulae, 
ip, obtained from ip by simultaneously substituting every appearance of an atom 
p by a corresponding expression t p that is defined as follows: 



Tp = 



-> s p if p £ V, 
s p otherwise. 



The formula ip = ip[r Pl /pi , . . . , T Pm /p m \ (i.e. , the simultaneous substitution 
in ip of all the atomic formulae pt, l<i<m, by their ‘signed expressions’ r Pi ) is 
called the signed formula that is obtained from ip. 



Given a repair 1Z = (Insert, Retract) of a database VB, define a valuation 
on (s p | p £ E VB } as follows: 



v R '{s p ) = t iff p £ Insert U Retract. 



if 1 ^ is called the valuation that is associated with 1Z. Conversely, a valuation v 
on (s p | p £ E vb } induces a database update 7 Z v = (Insert, Retract), where 
Insert = {p V \ is(s p ) = t} and Retract = {p £ V \ u(s p ) = t}. 6 Obviously, 
these mappings are the inverse of each other. 



Example 3.1. Let VB = ({p},{p —> <?}) be a ground representation of the 
database considered in Example 2.1. In this case, the sign formula of ip = p — > q is 
ip = -iSp —> s q , or, equivalently, s p V s q . Intuitively, this formula indicates that in 
order to restore the consistency of VB, at least one of p or q should be ‘switched’, 
i.e., either p should be removed from the database or q should be inserted to 
it. Indeed, the three classical models of ip are exactly the three valuations on 
{sp, s g } that are associated with the three repairs of VB (see Example 2.1). The 
next theorem shows that this is not a coincidence. 



Clearly, IZ 1 ' is an update of T>B, but it is not necessarily a repair of T>B (see Defini- 
tion 2.1). 
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Theorem 3.1. Let T>B = ( V,IC ) be a database. Denote: LC = {ip \ ip £ IC}. 

a) if IZ is a repair ofVB then iP is a model ofIC, 

b) if v is a model of IC then TZ 1 ' is a repair ofVB. 

Proof. For (a), suppose that IZ is a repair of VB = (V,LC). Then, in particu- 
lar, V R |= IC, where V R = V U Insert \ Retract. Let 'H T>R be the least Herbrand 
model of V n , and let ip £ IC. Then 'H D v (ip) = f, and so it remains to show 
that iP(ip) = 'HP (ip). The proof of this is by induction on the structure of 
ip, and we show only the base step (the rest is trivial), i.e., for every p £ S ' 013 , 

r- ( p ) =^ ( p ) . Indeed , 

- p £ T>\ Retract => p £ V n => v n {jf) = v n (-ns p ) = ^v n (s p ) — ^f — t = 'H DRi (p). 

- p £ Retract => p £ V\V R => ^’ 7l (p) = i' n (-,s p ) = ->i /R (s p ) = ->t = f = 'H r>K (p). 

- p £ Insert => p £ V n \V => v n (p) = v n (s p ) = t = 'H D ^ (p). 

- p ^V U Insert => p ^ V n => v n (p) = v n (s p ) = f = (p). 

For part (b), suppose that v is a model of IC. Let 

7 Z u = (Insert, Retract) = ({p ^ V \ u(s p ) = t},{p £ V \ v(s p ) = f}). 

We shall show that 1Z U is a repair of VB. According to Definition 2.1, it is 
obviously an update. It remains to show that every ip £ IC follows from 
V 71 = V U Insert \ Retract, i.e., that HP™ (ip) = t, where HP is the least 
Herbrand model of V R . Since v is a model of IC, v(ip) = t, and so it remains to 
show that H v (ip) = v(ip). Again, the proof is by induction on the structure of 
ip, and we show only the base step, that is: for every p £ S VB , (p) = v(fp): 

- p £ V\ Retract => p £ V R , v(s p ) = f => H° K (p)=t = ^u(sp) = v(-<s p ) = u(p). 

- p £ Retract => p £ V\V n , v(s p ) = t, => H v ^ (p) = f = ->v(s p ) = is(->s p ) = i'(p). 

- p £ Insert => p £ V n \ V , v(s p ) = t, => H 9 ^ (p)=t=v(s p ) = v(p). 

- p<fVU Insert => p V n , u(s p ) = f, => H v ^ (p) = f = v(s p ) = v(p). □ 

The last theorem implies, in particular, that in order to compute repairs for 
a given database VB , it is sufficient to find the models of the signed formulae 
that are induced by the integrity constraints of VB; the pairs that are induced 
by these models are the repairs of VB. 

Example 3.2. Consider again the (grounded) database of Examples 2.1 and 3.1. 
The corresponding signed formula ip = s p V s q has three models {s p :t,s q : /}, 
{s p : f,s q : t}, and {s p :t,s q : t}. 7 These models induce, respectively, three pairs, 
({}, {p}), ({?}, {}), and ({<?}, {p}), which are the repairs oiVB (cf. Example 2.1). 



' We are denoting here by p : x the fact that the atom p is assigned the value x by the 
corresponding valuation. 
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4 Computing Preferred Repairs by Model Generation 

In this section we show how solvers for constraint logic programs (CLPs), answer- 
set programming (ASP) and SAT solvers can be used for computing < c -preferred 
repairs and <j-preferred repairs. The experimental results are presented in Sec- 
tion 6. 

4.1 Computing < C -Preferred Repairs 

By Theorem 3.1, the repairs of a database correspond exactly to the models of 
the signed theory. It is straightforward to see that < c -preferred repairs of VB 
(i.e., those with minimal cardinality) correspond to models of IC that minimize 
the number of f-assignments of the atoms s p . Hence, the problem is to find 
Herbrand models for IC with minimal cardinality (called < c -minimal Herbrand 
models) . 

Theorem 4.1. Let VB = (V,IC) be a database and IC = {ip \ ip € IC}. Then: 

a) if 1Z is a < c -preferred repair of VB. then is a < c -minimal Herbrand 
model ofIC. 

b) if v is a < c -minimal Herbrand model ofIC, then TZ 1 ' is a < c -preferred repair 

ofVB. 

We discuss two techniques to compute < c -minimal Herbrand models. The 
first approach is to use a finite domain CLP solver. Encoding the computation 
of < c -preferred repair using a finite domain constraint solver is a straightfor- 
ward process. The ‘switch atoms’ s p are encoded as finite domain variables with 
domain {0, 1}. A typical encoding specifies the relevant constraints (i.e., the en- 
coding of IC), assigns a special variable, Sum, for summing-up all the signed 
variables that are assigned the value ‘1’, and asks for a solution with a minimal 
value for Sum. 

Example f.l. Below is a code for repairing the database of Example 3.2 with 
Sicstus Prolog finite domain constraint solver CLP(FD) [12] 8 . 

domain! [Sp,Sq] ,0, 1) , °/ 0 domain of the signed atoms 

Sp #\/ Sq, 1 the signed theory 

sum( [Sp,Sq] ,#=,Sum) , °/ 0 Sum = num of vars with val 1 

minimize (labeling! [] , [Sp,Sq] ) ,Sum) . °/ 0 find a solution with min sum 

The solutions computed here are [1,0] and [0,1], and the value of Sum is 1. 

This means that the cardinality of the < c -preferred repairs of VB should be 1, 
and that these repairs are induced by the valuations v\ = {s p : t,s q : /} and 
v 2 = {s p : f,s q : t}. Thus, the two < c -minimal repairs here are ({}, {p}) and 
({g}, {}), which indeed insert or retract exactly one atomic formula. 

8 A Boolean constraint solver would also be appropriate here. As Sicstus Prolog 
Boolean constraint solver has no minimization capabilities, we prefer to use here 
the finite domain constraint solver. 
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A second approach is to use the disjunctive logic programming system DLV 
[15]. To compute < c -minimal repairs using DLV, the signed theory XC is trans- 
formed into a propositional clausal form. A clausal theory is a special case of 
a disjunctive logic program without negation in the body of the clauses. The 
stable models of a disjunctive logic program without negation as failure in the 
body of rules coincide exactly with the <, -minimal models of such a program. 
Hence, by transforming the signed theory XC to clausal form, DLV can be used to 
compute <j-minimal Herbrand models. To eliminate models with non-minimal 
cardinality, weak constraints are used. A weak constraint is a formula for which 
a cost value is defined. With each model computed by DLV, a cost is defined as 
the sum of the cost values of all weak constraints satisfied in the model. The 
DLV system can be asked to generate models with minimal total cost. The set 
of weak constraints used to compute < c -minimal repairs is exactly the set of all 
atoms s p ; each atom has cost 1. Clearly, <j-minimal models of a theory with 
minimal total cost are exactly the models with least cardinality. 

Example f.2. Below is a code for repairing the database of Example 3.2 with 

DLV. 

Sp v Sq 
Sp. 

Sq. 

Clearly, the solutions here are {s p :t,s q : /} and {s p : f,s q : t}. These valuations 
induce the two < c -minimal repairs of VB, 1Z\ = ({}, {p}) and 7^ 2 = ({ 9 }, {})■ 



1 the clause 

°/ 0 the weak constraints (their cost is 1 by default) 



4.2 Computing <j-Preferred Repairs 

The <j-preferred repairs of a database correspond to minimal Herbrand models 
with respect to set inclusion of the signed theory XC. We focus on the compu- 
tation of one minimal model. The reason is simply that in most sizable applica- 
tions, the computation of all minimal models is not feasible (there are too many 
of them). We consider here three simple techniques to compute a <j-preferred 
repair. In the next section we consider another more complex method. 

I. One technique, mentioned already in the previous section, is to transform 
XC to clausal form and use the DLV system. In this case the weak constraints 
are not needed. 

II. Another possibility is to adapt CLP-techniques to compute <j-minimal mod- 
els of Boolean constraints. The idea is simply to make sure that whenever a 
Boolean variable (or a finite domain variable with domain {0, 1}) is selected 
for being assigned a value, one first assigns the value 0 before trying to assign 
the value 1. 

Proposition 4.1. If the above strategy for value selection is used, then the 
first computed model is provably a <i~minimal model. 
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Proof. Consider the search tree of the CLP-problem. Each path in this 
tree represents a value assignment to a subset of the constraint variables. 
Internal nodes, correspond to partial solutions, are labeled with the variable 
selected by the labeling function of the solver and have two children: 
the left child assigns value 0 to the selected variable and the right child 
assigns value 1. We say that node n 2 is on the right of a node n\ in 
this tree if n 2 appears in the right subtree, and ni appears in the left 
subtree of the deepest common ancestor node of rq and n 2 . It is then 
easy to see that in such a tree, each node n 2 to the right of a node m 
assigns the value 1 to the variable selected in this ancestor node, whereas 
?ii assigns value 0 to this variable. Consequently, the left-most node in 
the search tree which is a model of the Boolean constraints, is <j-minimal. □ 

In CLP-systems such as Sicstus Prolog, one can control the order in which 
values are assigned to variables. We have implemented the above strategy 
and discuss the results in Section 6. 

III. A third technique considered here uses SAT-solvers. SAT-solvers, such as 
zChaff [25], do not compute directly minimal models, but can be easily ex- 
tended to do so. The algorithm uses the SAT-solver to generate models of 
the theory 7”, until it finds a minimal model. Minimality of a model M of T 
can be verified by checking the unsatisfiability of T, augmented with the ax- 
ioms V p eM -'P an( l A pgM _, P- The model M is minimal exactly when these 
axioms are inconsistent with T- This approach has been tested using the 
SAT solver zChaff [25]; the results are discussed in Section 6. 

5 Computing <j-Preferred Repairs by QBF Solvers 

In this section we show how solvers for quantified Boolean formulae (QBFs) can 
be used for computing the <j-preferred repairs of a given database. In this case 
it is necessary to add to the signed formulae of TC an axiom (represented by 
a quantified Boolean formula) that expresses <j-minimality, i.e., that an <j- 
preferred repair is not included in any other database repair. Then, QBF solvers 
such as QUBOS [5], EVALUATE [11],' QUIP [16], QSOLVE [17], QuBE [18], QKN 
[21], SEMPROP [22], and DECIDE [26], can be applied to the signed quantified 
Boolean theory that is obtained, in order to compute the <i-preferred repairs of 
the database. Below we give a formal description of this process. 

5.1 Quantified Boolean Formulae 

Quantified Boolean formulae (QBFs) are propositional formulae extended with 
quantifiers V, 3 over propositional variables. In what follows we shall denote 
propositional formulae by Greek lower-case letters (usually ip, <p) and QBFs by 
Greek upper-case letters (e.g., <A, (P). Intuitively, the meaning of a QBF of the 
form 3 p Wq ip is that there exists a truth assignment of p such that ip is true for 
every truth assignment of q. Next we formalize this intuition. 
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As usual, we say that an occurrence of an atomic formula p is free if it 
is not in the scope of a quantifier Q p, for Q g {V, 3}, and we denote by 
^[^l/Pi, • ■ • , 4>m/Pm ] the uniform substitution of each free occurrence of a vari- 
able pi in P by a formula fa, for i = 1, . . . , m. The notion of a valuation is 
extended to QBFs as follows: Given a function z/ at : S VB U {t,f} —> {t, f} s.t. 
j'(t) = t and i'(f) = /, a valuation v on QBFs is recursively defined as follows: 

v(p) = n at (p) for every p g U {t, f}, 

= -u/(V0, 

o (f) = v(ijj) o v{(j>), where o g {A, V, — -O-}, 
vi^pif) = v(ip[t/p\) A u(if[f/p\), 

^(3 pip) = v(ip[t/p\) V v{if[f/p\). 

A valuation v satisfies a QBF P if v(P) = t\ v is a model of a set r of QBFs if it 
satisfies every element of r. A QBF P is entailed by a set r of QBFs (notation: 
f h P) if every model of r is also a model of P. In what follows we shall use 
the following notations: for two valuations zq and iq we denote by zq < V 2 that 
for every atomic formula p, V\ (p) — > 1^2 (p) is true. We shall also write zq < z ^2 to 
denote that zq < v 2 and V 2 ^v%- 

5.2 Representing <*-Preferred Repairs by Signed QBFs 

It is well-known that quantified Boolean formulae can be used for representing 
circumscription [24], thus they properly express logical minimization [7,8]. In 
our case we use this property for expressing minimization of repairs w.r.t. set 
inclusion. 

Given a database VB = (T>,1C), denote by XC A the conjunction of all the 
elements in XC (i.e. , the conjunction of all the signed formulae that are obtained 
from the integrity constraints of T>B). Consider the following QBF, denoted Pt>b' 

n n 

Vspi, . . . , s Pn ^ xc a [ s pi /s P1 , . . . , s Pn / s Vn ] — >- ( yy (s Pi — > s Pi ) — > yy (s Pi — > s Pi ) ) ^ • 

i=l i=l 

Consider a model v of IC A , i.e., a valuation for s Pl , . . . , s Prl that makes XC A true. 
The QBF Pdb expresses that every interpretation p (valuation for s' pi , . . . , s ' Pn ) 
that is a model of XC A , has the property that p < v implies v < p, i.e., 
there is no model p of IC A , s.t. the set {s p | v(s p ) = t} properly contains 
the set {s p | p(s p ) = t}. In terms of database repairs, this means that if 
TZ 1 ' = (Insert, Retract) and W = (Insert', Retract') are the database repairs that 
are associated, respectively, with v and p, then Insert'uRetract' InsertU Retract. 
It follows, therefore, that in this case 1Z V is a <i-preferred repair of T>B, and in 
general Pt>b represents <j-minimality. 

Example 5.1. With the database VB of Examples 2.1, 3.1, and 3.2, XC U P-db is 
the following theory, T : 

I Sp V s, , VSpVs, ((Sp V s' q ) -> ((Sp -> Sp) A ( s' q -r s q ) -> (s p -r s' p ) A ( s q -> s())) |. 
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The models of r are those that assign t either to s p or to s q , but not to both of 
them, i.e., V\ = (s p :t,s q : f) and v -2 = (s p : f,s q :t). The database updates that 
are induced by these valuations are, respectively, TZ" 1 = ({}, {p}) and TZ" 2 = 
({g}, {}). By Theorem 5.1 below, these are the only <j-preferred repairs of VB. 

Theorem 5.1. Let VB = (V,IC) be a database and IC = {if \ if S IC}. Then: 

a) if TZ is an <i~preferred repair ofVB then v n is a model ofIC Ul T-db, 

b) if v is a model of IC U Tt>b then TZ 1 ' is an <i~preferred repair ofVB. 

Proof. Suppose that TZ = (Insert, Retract) is an <, -preferred repair of VB. 
In particular, it is a repair of VB and so, by Theorem 3.1, is a model of 
IC. Since Theorem 3.1 also assures that a database update that is induced by 
a model of IC is a repair of VB, in order to prove both parts of the theorem, it 
remains to show that the fact that satisfies T-db is a necessary and sufficient 
condition for assuring that TZ is <j-minimal among the repairs of VB. Indeed, 
satisfies T-db iff for every valuation p that satisfies ZC A and for which p < v n , it 
is also true that v 11 <p. Thus, satisfies T-db iff there is no model p of IC s.t. 
p < v n , iff (by Theorem 3.1 again) there is no repair TZ ' of VB s.t. v n < v n , iff 
there is no repair TZ' = (Insert', Retract') s.t. Insert' U Retract' C Insert U Retract, 
iff TZ is an <j-minimal repairs of VB. □ 

Note 5.1. ( Complexity results) A skeptical (conservative) approach to query an- 
swering is considered, e.g., in [1,19], where an answer to a query Q and a database 
VB is evaluated with respect to (the databases that are obtained from) all the 
<i~preferred repairs of VB. A credulous approach to the same problem evaluates 
queries with respect to some <j-preferred repair of VB. Theorem 5.1 implies the 
following upper complexity bounds for these approaches: 

Corollary 5.1. Credulous query answering lies in Eff , and skeptical query an- 
swering is in II 2 ■ 

Proof. By Theorem 5.1, credulous query answering is equivalent to satisfia- 
bility checking for IC U <Px> g, and conservative query answering is equivalent to 
entailment checking for the same theory (see also Corollary 5.2 below). Thus, 
these decision problems can be encoded by QBFs in prenex normal form with ex- 
actly one quantifier alternation. The corollary is obtained, now, by the following 
well-known result: 

Proposition 5.1. [27] Given a propositional formula if, whose atoms are par- 
titioned into i > 1 sets { p\ , . . . ■ ■ ■ , {p\, ■ ■ ■ deciding whether 

,3 p^Vpl,... y P 2 m2 ,... ,Q pi,... ,Q p l mi if 

is true, is Ef -complete (where Q = 3 if i is odd and Q=\/ifiis even). Also, 
deciding if 

Vpi,... > ^Pm ± , 3p? , ,3 p 2 m2 ,... , Qp\ ;■■■ Ap^ 

is true, is IT f -complete (where Q = V if i is odd and Q = 3 if i is even). □ 
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As shown, e.g., in [19], the complexity bounds specified in the last corollary are 
strict, i.e., these decision problems are hard for the respective complexity classes. 

Note 5.2. ( Consistent query answering) Another consequence of Theorem 5.1 is 
that the conservative approach to query answering [1,19] may be represented in 
our context in terms of a consequence relation as follows: 

Corollary 5.2. Q is a consistent query answer of a database VB = ( V,IC ) in 
the sense of [1,19] iff TC U \Pt>b ^ Q- 

The last corollary and Section 4.2 provide, therefore, some additional methods 
for consistent query answering, all of them are based on signed theories. 

6 Experiments and Comparative Study 

The idea of using formulae that introduce new (‘signed’) variables aimed 
at designating the truth assignments of other related variables is used, for 
different purposes, e.g. in [2, 3, 6, 7]. In the area of database integration, signed 
variables are used in [19], and have a similar intended meaning as in our case. 
In [19], however, only <j-preferred repairs are considered, and a rewriting 
process for converting relational queries over a database with constraints 
to extended disjunctive queries (with two kinds of negations) over database 
without constraints, must be employed. As a result, only solvers that are able 
to process disjunctive Datalog programs and compute their stable models (e.g., 
DLV), can be applied. In contrast, as we have already noted above, motivated 
by the need to find practical and effective methods for repairing inconsistent 
databases, signed formulae serve here as a representative platform that can be 
directly used by a variety of off-the-shelf applications for computing (either 
<j-preferred or < c -preferred) repairs. In what follows we examine some of these 
applications and compare their appropriateness to the kind of problems that we 
are dealing with. 

We have randomly generated instances of a database, consisting of three 
relations: teacher of the schema (teacher_name), course of the schema 
(course_name), and teaches of the schema (teach.er_n.ame, course_name). Also, 
the following two integrity constraints were specified: 

icl A course is given by one teacher: 

VXVFVZ ( ( teacher{X) A teacher {Y ) A course(Z) A teaches(X,Z) A 
teaches(Y , Z)) —t X = Y^j 

ic2 Each teacher gives at least one course: 

MX (teacher(X) — > BY (courseiY) A teaches(X,Y))^j 
The next four test cases (identified by the enumeration below) were considered: 
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1. Small database instances with icl as the only constraint. 

2. Larger database instances with icl as the only constraint. 

3. Databases with IC = {icl,ic2}, where the number of courses equals the 

number of teachers. 

4. Databases with IC = {icl,ic2} and with fewer courses than teachers. 

Note that in the first two test cases, only retractions of database facts are 
needed in order to restore consistency, in the third test case both insertion and 
retractions may be needed, and the last test case is unsolvable, as the theory is 
not satishable. 

For each benchmark we generated a sequence of instances with an increasing 
number of database facts, and tested them w.r.t. the following applications: 

ASP / CLP-solvers: 

DLV [15] (release 2003-05-16), CLP(FD) [12] (version 3.10.1). 

QBF-solvers: 

SEMPROP [22] (release 24.02.02), QuBE-BJ [18] (release 1.3), DECIDE [26], 

— SAT-solvers: 

A minimal-model generator based on zChaff [25]. 

The goal was to construct <j-preferred repairs within a time limit of five 
minutes. The systems DLV and CLP(FD) were tested also for constructing < c - 
preferred repairs. All the experiments were done on a Linux machine, 800MHz, 
with 512MB memory. Tables 1-4 show the results for providing the first answer. 9 



The results of the first benchmark (Table 1) already indicate that DLV, CLP, 
and zChaff perform much better than the QBF-solvers. In fact, among the QBF- 
solvers that were tested, only SEMPROP could repair within the time limit most 
of the database instances of benchmark 1, and none of them could success- 
fully repair (within the time restriction) the larger database instances, tested in 
benchmark 2. Also, we encountered some space limitation problems and a bug 10 
in DECIDE, and this discouraged us from using it in our experiments. 

Another observation from Tables 1-4 is that DLV, CLP, and the zChaff-based 
system, perform very good for minimal inclusion greedy algorithms. However, 
when using DLV and CLP for cardinality minimization, their performance is much 
worse. This is due to an exhaustive search for a < c -minimal solution. 

While in benchmark 1 the time differences among DLV, CLP, and zChaff, 
for computing <i-repairs are marginal, in the other benchmarks the differences 

9 Times are in given in seconds, empty cells mean that timeout is reached without 
an answer, vars is the number of variables, IC is the number of grounded integrity 
constraints, and size is the size of the repairs. 

10 For the unsatishable QBF 3xyVuv((x V y) A (mV v )), the answer x = 1 and y = 0 is 
returned. The system developers were notified about this and the bug is being fixed. 
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Table 1. Results for test case 1 



Test info. 


<i -repairs 


< c -repairs 


No. 


vars 


IC 


size 


DLV 


CLP 


zChaff 


SEMPROP 


QuBE 


DLV 


CLP 


1 


20 


12 


8 


0.005 


0.010 


0.024 


0.088 


14.857 


0.011 


0.020 


2 


25 


16 


7 


0.013 


0.010 


0.018 


0.015 




0.038 


0.020 


3 


30 


28 


12 


0.009 


0.020 


0.039 


0.100 




0.611 


0.300 


4 


35 


40 


15 


0.023 


0.020 


0.008 


0.510 




2.490 


1.270 


5 


40 


48 


16 


0.016 


0.020 


0.012 


0.208 




3.588 


3.220 


6 


45 


42 


17 


0.021 


0.030 


0.008 


0.673 




12.460 


10.350 


7 


50 


38 


15 


0.013 


0.020 


0.009 


0.216 




23.146 


20.760 


8 


55 


50 


20 


0.008 


0.030 


0.018 


1.521 




29.573 


65.530 


9 


60 


58 


21 


0.014 


0.030 


0.036 


3.412 




92.187 


136.590 


10 


65 


64 


22 


0.023 


0.030 


0.009 


10.460 




122.399 


171.390 


11 


70 


50 


22 


0.014 


0.030 


0.019 


69.925 








12 


75 


76 


27 


0.021 


0.030 


0.010 


75.671 








13 


80 


86 


29 


0.021 


0.030 


0.009 


270.180 








14 


85 


76 


30 


0.022 


0.030 


0.010 










15 


90 


78 


32 


0.024 


0.040 


0.020 










16 


95 


98 


35 


0.027 


0.040 


0.047 










17 


100 


102 


40 


0.017 


0.040 


0.016 










18 


105 


102 


37 


0.018 


0.040 


0.033 










19 


110 


124 


43 


0.030 


0.040 


0.022 










20 


115 


116 


44 


0.027 


0.040 


0.041 











Table 2. Results for test case 2 



j Test info. 


I <i -repairs 1 


No. 


vars 


IC 


size 


DLV 


CLP 


zChaff 


1 


480 


171 


470 


0.232 


0.330 


0.155 


2 


580 


214 


544 


0.366 


0.440 


0.051 


3 


690 


265 


750 


0.422 


0.610 


0.062 


4 


810 


300 


796 


0.639 


0.860 


0.079 


5 


940 


349 


946 


0.815 


1.190 


0.094 


6 


1080 


410 


1108 


1.107 


1.560 


0.123 


7 


1230 


428 


1112 


1.334 


2.220 


0.107 


8 


1390 


509 


1362 


1.742 


2.580 


0.135 


9 


1560 


575 


1562 


2.254 


3.400 


0.194 


10 


1740 


675 


1782 


2.901 


4.140 


0.182 


11 


1930 


719 


2042 


3.592 


5.260 


0.253 



become more evident. Thus, for instance, zChaff performs better than the 
other solvers w.r.t. bigger database instances with many simple constraints (see 
benchmark 2), while DLV performs better when the problem has bigger and 
more complicated sets of constraints (see benchmark 3) . The SAT approach with 
zChaff was the fastest in detecting unsatisfiable situations (see benchmark 4). 
As shown in Table 4, detecting unsatisfiability requires a considerable amount 
of time, even for small instances. 
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Table 3. Results for test case 3 



Test info, j 




<i- 


repairs 




< c -repairs 1 


No. 


vars 


size 


DLV 


CLP 


zChaff 


DLV 


CLP 


1 


25 


4 


0.008 


0.030 


0.066 


0.010 


0.05 


2 


36 


9 


0.008 


0.030 


0.087 


0.070 


0.42 


3 


49 


15 


0.027 


0.250 


0.050 


0.347 


9.48 


4 


64 


23 


0.019 


0.770 


0.013 


2.942 


58.09 


5 


81 


30 


0.012 


4.660 


0.102 


26.884 




6 


100 


34 


0.021 




0.058 


244.910 




7 


121 


38 


0.626 




1.561 






8 


144 


47 


0.907 




2.192 






9 


169 


51 


0.161 




0.349 






10 


196 


68 


1.877 




4.204 






11 


225 


70 


8.496 




16.941 







Table 4. Results for test case 4 



Test info. | 


<i-repairs | 


< c -repairs | 


No. 


teachers 


courses 


DLV 


CLP 


zChaff 


DLV 


CLP 


1 


5 


4 


0.001 


0.01 


0.001 


0.001 


0.001 


2 


7 


5 


0.005 


0.13 


0.010 


0.005 


0.120 


3 


9 


6 


0.040 


1.41 


0.020 


0.042 


1.400 


4 


11 


7 


0.396 


17.18 


0.120 


3.785 


17.170 


5 


13 


8 


3.789 




1.050 


44.605 




6 


15 


9 


44.573 




13.370 






7 


17 


10 













Some of the conclusions from the experiments may be summarized as follows: 



1. In principle, QBF-solvers, CLP-solvers, ASP-solvers, and SAT-solvers are all 
adequate tools for computing database repairs. 

2. All the QBF-solvers, as well as DLV and zChaff, are ‘black-boxes’ that ac- 
cept the problem specification in a certain format. In contrast, CLP(FD) 
provides a more ‘open’ environment, in which it is possible to incorporate 
problem-specific search algorithms, such as the greedy algorithm for finding 
<j-minimal repairs (see Section 4.2). 

3. Currently, the performance of the QBF-solvers is considerably below that 
of the other solvers. Moreover, most of the QBF-solvers require that the 
formulae are represented in prenex CNF, and specified in Dimacs or Rintanen 
format. These requirements are usually space-demanding. In our context, 
the fact that many QBF-solvers (e.g., SEMPROP and QuBE-BJ) return only 
yes/no answers (according to the satisfiability of the input theory), is another 
problem, since it is impossible to construct repairs only by these answers. 
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One needs to be able to extract the assignments to the outmost existentially 
quantified variables (as done, e.g., by DECIDE). 

Despite these drawbacks of QBF-solvers, reasoning with QBFs seems to be 
particularly suitable for our needs, since this framework provides a natural 
way to express minimization (in our case, representations of optimal repairs) . 
It is most likely, therefore, that future versions of QBF-solvers will be the 
basis of powerful mechanisms for handling consistency in databases. 

7 Concluding Remarks 

This work provides further evidence for the well-known fact that in many cases 
a proper representation of a given problem is a major step in finding robust 
solutions to it. In our case, a uniform method for encoding the restoration of 
database consistency by signed formulae allows us to use off-the-shelf solvers for 
efficiently computing the desired repairs. 

As shown in Corollary 5.1, the task of repairing a database is on the second 
level of the polynomial hierarchy, hence it is not tractable. However, despite 
the high computational complexity of the problem, the experimental results 
of Section 6 show that our method of repairing databases by signed theories is 
practically appealing , as it allows a rapid construction of repairs for large problem 
instances. 
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Abstract. When two or more databases are combined into a global one, 
integrity may be violated even when each database is consistent with its 
own local integrity constraints. Efficient methods for checking global in- 
tegrity in data integration systems are called for: answers to queries can 
then be trusted, because either the global database is known to be consis- 
tent or suitable actions have been taken to provide consistent views. The 
present work generalizes simplification techniques for integrity checking 
in traditional databases to the combined case. Knowledge of local con- 
sistency is employed, perhaps together with given a priori constraints on 
the combination, so that only a minimal number of tuples needs to be 
considered. Combination from scratch, integration of a new source, and 
absorption of local updates are dealt with for both the local-as-view and 
global-as-view approaches to data integration. 



1 Introduction 

Data integration has attracted much attention in the recent years due to the 
explosion in online data sources and the whole aspect of globalization of society 
and business. 

To integrate a set of different local data sources means to provide a common 
database schema, often called a global or mediator schema, and to describe 
a relationship between the different local schemata and the global one. Two 
common paradigms for defining such relationships are the so-called local-as-view 
(LaV, a.k.a. source- centric) and global-as-view (GaV, a.k.a. global- centric); see 
[28] for definitions and comparison. 

Integrity constraints of a database are overall conditions that must be met 
by any instance of the database in order for it to provide a meaningful seman- 
tics, and maintenance of integrity constraints is a standard issue in traditional 
databases. 

In combined databases, on the other hand, integrity constraints have been 
used mainly for query reformulation and optimization, but the problem of check- 
ing and maintaining integrity constraints in this context seems to be largely ig- 
nored (a few exceptions are mentioned in section 2). This is problematic as even 
though each local database may satisfy its specific integrity constraints, the com- 
bined database may not have a good semantics and the answers to queries cannot 
be trusted. 



D. Seipel and J.M. Turull- Torres (Eds.): FoIKS 2004, LNCS 2942, pp. 31—48, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




32 



H. Christiansen and D. Martinenghi 



Consider, as an example, two databases of marriages for two different coun- 
tries. Both may satisfy a non-bigamist integrity constraint, but combining the 
two may violate this. We need methods to identify such violations and, ideally, 
provide means for restoring consistency, which may be done in different ways. 

As in a traditional database of nontrivial size, it is not practically feasible 
to check integrity constraints for the entire database in one operation: an incre- 
mental approach is needed so that only a small amount of work is required for 
each update. For the combined case, it is even more urgent to optimize integrity 
checking and distribute it over time: Transition delays over network links need 
to be considered, and an update in this context may mean the addition of a new 
data source. 

Theoretically sound methods, called simplification of integrity constraints, 
have been developed for relational and deductive databases, although the com- 
mon practice is still based on ad hoc techniques. Typically, database experts need 
to design and hand-code either complicated tests in the program producing the 
update requests or triggers within the database management system that react 
upon certain update actions (and in combined databases, we expect it to be the 
same, if integrity is considered at all) . 

It seems obvious that a generalization of simplification techniques will be of 
great advantage for combined databases, and we can present some first results 
in adapting a newly developed and highly flexible simplification framework [13]. 
The main idea in simplification is to keep the database invariantly consistent, 
so that this knowledge can be utilized in the investigation whether the database 
will be consistent following a suggested update. For example, for a non-bigamist 
constraint, it means that it is sufficient to check the condition for new husbands 
and wives against the database when a marriage is proposed, as all other com- 
binations of tuples have been checked earlier. Some simplification methods need 
to perform the update before the simplified constraint can be checked so that a 
roll-back operation may become necessary, whereas others such as [13] can do 
with the current state before the update, which seems to be a better approach. 
However, the method of [13] can also be adapted to perform post-update checks, 
which seems of relevance in a combined database where a local update is regis- 
tered as a message that it has been performed. 

With our approach we can check the integrity both when several sources 
are integrated and when an updated source notifies the mediator with a mes- 
sage about the update. In order to have a simplification, we need to have some 
knowledge about the current state. When integrating a new source, we may trust 
a statement that it satisfies its local constraints; when a message about a local 
update is received, we may trust two things: The combined database was con- 
sistent before the update and the update has been verified locally, i.e., the local 
constraints are maintained. As a natural result, we obtain that only the possible 
interference between the update and the other sources needs to be checked. 

If global inconsistencies are found, we also indicate how integrity can be 
restored by maintaining at the global level a small database of virtual local 
changes, when it is not possible to modify the local sources directly. 
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The paper is organized as follows. In section 2 we review existing literature 
in the field. The simplification framework of [13] is introduced in section 3 and 
its uses for data integration are explained in section 4. Examples of the GaV 
and LaV approaches are given in section 5 and 6 respectively, while the problem 
of dealing with updates at the source level is addressed in section 7. Concluding 
remarks and future directions are provided in section 8. 



2 Related Work 



The contribution of integrity constraints to data integration is usually confined 
to query reformulation and query optimization problems. In a GaV approach the 
global schema is expressed in terms of views over the sources, whereas in LaV 
the sources are formulated as views over the global schema. The former approach 
is usually considered simpler for query answering, as this typically amounts to 
unfolding a query with respect to the view definitions; on the other hand it is less 
flexible if new sources need to be added to (or removed from) the system. The 
latter has more involved query answer mechanisms, but enjoys good scalability, 
as changes at the sources do not require any modification in the global schema. 

In [17] the problem of answering queries using views ( query folding) under 
LaV is addressed with a technique based on resolution, and several cases, in- 
cluding integrity constraints, negation and recursion, are dealt with. 

A foundational description of the problem of consistent query answering, 
without considering data integration issues, is given in [8], where analytic 
tableaux are used to characterize the repairs of databases that do not comply 
with given integrity constraints. 

A short survey on the role of integrity constraints in data integration is given 
in [9] . They are regarded as means to extract more information from incomplete 
sources as well as components that raise the issue of dealing with possibly in- 
consistent global databases. Several GaV typologies are studied that include the 
treatment of key and foreign key constraints and both sound and exact map- 
pings. In [10] the same authors develop these ideas to show that, in the presence 
of integrity constraints, query answering in GaV becomes as difficult as in LaV, 
as the problem of incomplete information implicitly arises. Further discussion 
on the expressive power of the two approaches, in terms of query-preserving 
transformations, is given in [11]. 

In [28] , Ullman relates the problem of constructing answers to queries using 
views to query containment algorithms and compares two implemented systems 
in these terms. 

Levy [20] applies techniques from artificial intelligence to the problem of data 
integration and shows examples of both GaV and LaV query reformulation with 
integrity constraints, including particular data access patterns. 

Li [21] considers the use of integrity constraints in LaV query processing 
and optimization and distinguishes between local and global constraints and, for 
these, between general global constraints and source-derived global constraints. 
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Others, e.g., [6,7,22], have approached the global consistency problem by 
introducing disjunctive databases , that we shall not consider in this paper. Con- 
flicts in the data are usually resolved by means of majority principles; to this 
end, [26] extensively analyzes the general problem of arbitration, which is the 
process of settling a divergence, by considering preferences and weights. In addi- 
tion to clata-related inconsistencies, the authors of [22] also consider the problem 
of merging sources whose compatibility is affected by the presence of synonyms, 
homonyms or type conflicts in the schemata. 

The presence of semi-structured data, i.e., information that does not match a 
strict predefined schema, is a common phenomenon in current applications, such 
as web databases, as also reflected in the emerging XML standard. This is an 
important issue in data integration and the database community has developed 
various techniques for handling this kind of information [1,5]; however, we will 
not focus on this problem in the remainder of the paper. 

Another direction of research concerns automatic identification of a common 
global schema with mappings from different source schemata. Various techniques, 
such as linguistic and ontological similarity between relation and attribute names 
and type structures, can be used; see [27] for an overview. Recent work, e.g., 
[29], attempts to extract indirectly expressed similarities using a kind of shal- 
low semantic analysis. Apart from referential integrity and key constraints, this 
research has not paid much attention to integrity constraints, but it seems very 
likely that a more fine-grained comparison of integrity constraints may help to 
identify semantic similarities. 

Paraconsistent logics can be used to model the possible inconsistencies com- 
ing from database integration and update. In [3] it is shown how one such logic, 
called LFI1, has the capability of storing and managing inconsistent information. 

What we want to do instead is to check the integrity of a database that 
consists of several data sources. In order to deal with this in an optimal way, 
in the next section we introduce new tools for the simplification of integrity 
constraints that can be used to manage a number of different configurations of 
database schemata and integrity constraints at the sources and at the mediator. 

The principle of simplification of integrity constraints dates back to at least 
[24] and has been elaborated by many other authors. We develop this paper 
upon the framework described in [13] and we refer to that for further discussion, 
relevant proofs and references. 

3 A Framework for Simplification of Integrity Constraints 

We review here, with small variations, the simplification framework presented in 
[13] and assume a function-free first-order language equipped with negation and 
built-ins for equality (=) and inequality (^), where terms (t, s , ...), variables 
( x , y , . . .), constants (a, 6, . . .), predicates (p, q , . . .), atoms, literals and formulas 
in general are defined as usual. The set of all ground (i.e., variable-free) atoms 
that can be formed from the predicate symbols and the terms in the language is 
referred to as the Herbrand base. 
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Clauses are written in the form Head <— Body where the head, if present, 
is an atom and the body a (perhaps empty) conjunction of literals. A denial 
is a headless clause and a fact is a bodiless clause; all other clauses are called 
rules. We identify a set of formulas with their conjunction and thus true with 0 
and 4> with the set {(/)}. Logical equivalence between formulas is denoted by =, 
entailment by |=. The notation t indicates a sequence of terms t\, . . . , t n and the 
expressions p(i), s = t and s t are defined accordingly. We further assume that 
all clauses are range restricted (see, e.g., [13]). For simplicity, we do not allow 
recursion, but our method is relevant for all database environments in which 
range restricted queries produce a finite set of ground tuples. 

We distinguish three components of a database: the extensional database 
(the facts), the intensional database (the rules) and the constraint theory (the in- 
tegrity constraints) [16]. With no loss of generality [12], we shall assume through- 
out the rest of the paper that the constraint theory contains only extensional 
predicates. By database state we refer to the union of the extensional and the 
intensional parts only. 

Definition 3.1 (Database). A database is a triple (S,r,D), where r is a 
constraint theory, D a database state and S a set of signatures for the predicates 
of r and D, called a database signature. 

As semantics of a database state D , with default negation for negative literals, 
we take its standard model, as I? is here recursion-free and thus stratified. The 
truth value of a closed formula F, relative to D , is defined as its valuation in 
the standard model and denoted D(F). (See, e.g., [25] for exact definitions for 
these and other common logical notions.) 

Definition 3.2 (Consistency). A database state D is consistent with a con- 
straint theory r iff D(r) = true. 

The method can handle general forms of update, including additions, deletions 
and changes. Furthermore, [13] allows also for so-called parameters, i.e., place- 
holders for constants that permit to generalize updates into update patterns, 
which can be evaluated before knowing the actual values of the update itself. 
For example, the notation {p(a), -ig(a)}, where a is a parameter, refers to the 
class of updates that add a tuple to the unary relation p and remove the same 
tuple from the unary relation q. For simplicity, in this paper we restrict our at- 
tention to parameter-free additions, but the results we present also hold in the 
presence of parameters as well as for deletions and changes. 

Definition 3.3 (Update). An update is a non-empty set of ground facts. 

3.1 Semantic Notions 

We introduce now a few concepts that allow us to characterize the notion of sim- 
plification from a semantic point of view. We refer to [13] for further discussion. 

The notion of weakest precondition is a semantic correctness criterion for a 
test to be run prior to the execution of the update, i.e., a test that can be checked 
in the present state but indicating properties of the prospective new state. 
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Definition 3.4 (Weakest precondition, strongest postcondition). Let T 

and £ be constraint theories and U an update. £ is a weakest precondition of 
r with respect to U and r is a strongest postcondition of £ with respect to U 
whenever D(£) = {D U U)(T) for any database state D. 

Weakest preconditions [14,18] resemble the standard axiom for defining assign- 
ment statements in a programming language, whose side effects are analogous 
to a database update. The concept of strongest postcondition characterizes how 
questions concerning the previous state may be answered in the updated state. 

The essence of simplification is the optimization of a weakest precondition 
based on the invariant that the constraint theory holds in the present state. 

Definition 3.5 (Conditional weakest precondition). Let T. A be constraint 
theories and U an update. A constraint theory £ is a A -conditional weakest 
precondition (A-CWP) of T with respect to U whenever D{£) = (D U U)(r) 
for any database state D consistent with A. 

Typically, A will include T, but it may also contain other knowledge, such as 
further properties of the database that are trusted. 

The notion of CWP alone is not sufficient to fully characterize the principle 
of simplification: an optimality criterion is needed, which serves as an abstrac- 
tion over actual computation times without introducing assumptions about any 
particular evaluation mechanism or referring to any specific database state. Ac- 
cording to definition 3.5, semantically different Z\-CWPs may exist, as their truth 
values are only fixed in the states that are consistent with A. Among these, we 
characterize as optimal a constraint theory that depends on as small a part of 
the database as possible (see definition 3.8). The following example demonstrates 
this idea and shows that a semantically weakest d-CWP, i.e., one that holds in 
as many states as possible, does not, in general, enjoy this property. 

Example 3.1. Consider the constraint theory r = A = {«— p(a)Aq(a), <— r(a)} 
and the update U = {p(a)}. The strongest, optimal and weakest Z\-CWPs of r 
with respect to U are shown in the following table. 



Strongest 


Optimal 


Weakest 


{«- Q{a), r(a)} 


{■£- g(a)} 


{«— q(a ) A -ip(a) A -r(a)} 



We base our definition of optimality on the notion of cover, i.e., a portion of 
the Herbrand base that does not affect the semantics of a constraint theory: the 
larger the cover, the better the constraint theory. 

Definition 3.6 (Cover). Two database states Di,D 2 are said to agree on a 
subset S of the Herbrand base B whenever Di(A) = D 2 (A) for every ground 
atom A £ S. A set C C B is a cover for a constraint theory T whenever 

D(T) = D'(T) 

for any two database states D,D' that agree on B\C. If, furthermore, T admits 
no other cover C D C , C is a maximal cover for T. 
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Definition 3.7 (Conditional equivalence). Let A, A. A be constraint the- 
ories, then A and A are conditionally equivalent with respect to A, denoted 

A = A. whenever D{T\) = -D(A) for any database state D consistent with A. 

Definition 3.8 (Optimality). Given two constraint theories A and £, £ is 
Z\-optimal if it admits a maximal cover C such that there exists no other con- 
straint theory £' = £ with maximal cover C D C. A A-optimal A-CWP of 
a constraint theory r with respect to an update U is a A -optimal conditional 
weakest precondition (A-OCWP) of T with respect to U. 

Obviously the integrity constraint {«— q(a)} indicated as optimal in example 3.1 
satisfies this definition, as it admits the maximal cover B \ (g(a)}. The only 
larger cover is B and any constraint theory with cover B would not be a Z\-CWP 
of r with respect to U in the example. 

Ideally, the test for possible inconsistency introduced by a given update 
should be performed prior to the update, but in the setting of data integra- 
tion this might not always be feasible. A consistency test that can be made after 
the update is called a weakest post-precondition. Similarly to Z\-CWPs, we refer 
to the following conditional notion. 

Definition 3.9 (Conditional weakest post-precondition). LetT,A be con- 
straint theories and U an update. A constraint theory £ is a A -conditional weak- 
est post-precondition (A-CWPP) of T with respect to U whenever ( DUU )(£ ) = 
( D U U)(r) for any database state D consistent with A. 

The notion of optimal Z\-CWPP can be defined analogously to definition 3.8 and 
is indicated as Z\-OCWPP. 

3.2 Transformations on Integrity Constraints 

In the following, we define the transformations that are used to compose a sim- 
plification procedure. 

Definition 3.10. Let T be a constraint theory and U an update: 



U = { Pi (A, 1), Pi («i,2), • • • ,Pi(ai, ni ), 

^771(^771,2)7 • • • 7 Pm (& 7 n,n m ))}, 

where the pi ’s are distinct predicates and the a,ij ’s are sequences of constants. 
The notation After r (T) refers to a copy of r in which all atoms of the form 
Pi(t) have been simultaneously replaced by 

Pi(t ) V t = a it i V • • • V t = a iini . 

The notation Before r/ (T) is as After* 7 (T) but where the replacement is 
Pi (t) A t yf a^i A • • • At yf a%^ ni . 
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It follows immediately from the definition that After and Before distribute over 
U. We furthermore assume that the result of these transformations is always 
given as a set of denials, obtained by applications of De Morgan’s laws, and in a 
“normalized” form, i.e., without redundant constraints and sub-formulas (such 
as, e.g., a = a). We refer to [13] for a proposed implementation. The semantic 
correctness of After and Before is expressed by the following property. 

Theorem 3.1. For any update U and constraint theory T. After r/ (T) is a weak- 
est precondition and Before r (T) is a strongest postcondition of T with respect to 

U. 

An essential step in the achievement of simpler integrity constraints is to employ 
the fact that they hold in the current database state, and remove those parts 
of the condition about the possible updated state that are implied by this. For 
this purpose, we introduce a transformation Optimize that produces a constraint 
theory which is optimal with respect to a given set of hypotheses. 

Definition 3.11 (Optimize). Given two constraint theories A,T, 
Optimize/^!”) refers to a A-optimal theory £ such that £ = T. 

It should be observed that Optimize is defined in a purely mathematical way that 
does not indicate how to construct such a constraint theory. In the following, 
we shall refer to the implementation given in [13], based on the purely syntactic 
notion of subsumption (see, e.g., [16]): Optimize removes from r all denials that 
are subsumed by a denial in A. Although we have no proof for it yet, we believe 
that this implementation produces the desired results, at least under reasonable 
conditions for F. From definition 3.11 we have immediately the following. 

Proposition 3.1. Let £ be a weakest precondition of constraint theory r with 
respect to an update U. Then Optimize^ (£), A a constraint theory , is a A- 
OCWP of r with respect to U. 

The operators introduced so far can be combined to define a procedure for sim- 
plification of integrity constraints, where the updates always take place from a 
consistent state. 

Definition 3.12. For a constraint theory r and an update U, we define 

Simp f ' (r) = Optimize r (After [r (T)). 

As a consequence of the previous results, Simp enjoys the following property. 

Proposition 3.2. Let r be a constraint theory and U an update. Then 
Simp c/ (T) is a T-OCWP of T with respect to U. 

No other work we are aware of has based simplification on the notion of optimal 
conditional weakest precondition. 
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Example 3.2. Consider a database containing information about marriages, 
which receives updates of the form U = {m(a,b)} (husband a is married to 
wife b) and has the following integrity constraint (no husband has more than a 
wife) : 

r = 4— m( x, y) A m(x, z)Aj//z. 

The simplification, showing intermediate steps in After, is calculated as follows. 

After f (r) = { m(x, y) A m(x, z) Ay yf z, 

<— m(x, y)Ax = aAz=bAy^z, 

•f— x = a Ay = b A m(x, z) A y yf z, 

<^x==aAy = bAx = aAz = bAy^z} = 

= After U (r) = { <— m(x, y) A m(x, z) A y yf z, 

«- m(a,y) A y^b} 

Simp u {r) = {a- m(a, y)Ay^bj 

There may be specific applications where consistency needs to be checked directly 
on the updated database. In these cases, Before comes in handy. 

Definition 3.13. For a constraint theory r and an update U, we define 

PostSimp f (r) = Before 1 (Simp fr (T)). 



Proposition 3.3. Let D be a database state consistent with a constraint theory 
r and U an update. Then ( D U U)(T) = (D U /7)(PostSimp , ' f (T)). 



Proposition 3.4. Let r be a constraint theory and U an update. Then 
PostSimp f (T) is a T-OCWPP of T with respect to U. 

4 Integrity Constraints in Combined Databases 

4.1 Extending the Framework for Data Integration 

In section 3 we described a framework that applies to a single updatable 
database. In the context of data integration, we have in general several databases 
(the sources and the mediator) and other operations than database updates need 
to be considered, such as database combination. We shall therefore generalize 
the notation in order to describe the relevant cases for data integration. In order 
to provide a unified view of the data residing at different sources, we need to 
indicate how the global predicates are expressed in terms of the source predi- 
cates. We shall therefore introduce the notion of mapping, which we assume to 
be sound , i.e., the information produced by the views over the sources contains 
only, but not necessarily all the data associated to the global predicates. Com- 
plete mappings and exact mappings are defined in a similar way (see, e.g., [10]), 
but we do not consider them in this paper. 




40 



H. Christiansen and D. Martinenghi 



Definition 4.1 (Mapping). A mapping M : (T>\, ...,T> n ) — >• V, where T>, T> i, 
..., V n are databases with disjoint signatures, is a set of range restricted rules in 
which the predicates in the heads are in V and their terms are distinct variables, 
and the predicates in the bodies are in one of the Vi,...,V n or are built-ins. 

Notice that it is always possible to rewrite a set of range restricted rules as a 
mapping: for a rule whose head contains some constants or non distinct variables, 
they can be replaced by new variables, provided that equalities taking track of 
the replacements are added in the body. 

We can now extend the After operator to handle data integrations described 
by a mapping from the sources to the mediator. 

Definition 4.2. Let T>,T>i, ...,T> n be some databases with disjoint signatures, T 
a constraint theory concerning the predicates in V and M a mapping of the form: 

M = { Pi(xi) <— Bii, ..., pi(x\) Bi ni , 



Pm (%"m ) t B m p, • • * , 

where the p, ’s are all the ( distinct) predicates in V, the Xi ’s are sequences of vari- 
ables and the B it j ’s are conjunctions of literals whose predicates are in one of the 
V i, ...,V n or are built-ins. The notation After M (T), where M : (T>i, ... ,V n ) — ► V 
is a mapping, refers to a copy of T in which all atoms of the form Pi(t) have 
been simultaneously replaced by 

BipOipip V ... V Bj j ^ ni 9iPi j n i , 

where 0i is a substitution that replaces the variables of Xi with the terms of t 
and pip a renaming giving fresh new names to the variables of Bij not in Xi to 
avoid name clashes. 

We use the term operation to refer to either an update or the application of a 
mapping. The After operator, as stated by definitions 3.10 and 4.2, behaves as 
follows: for an update, it translates a theory concerning the updated state to one 
referring to the state before the update; similarly, for a database combination, it 
moves from the state after the integration to the non-integrated state, i.e., from 
a theory concerning the mediator to one concerning the sources, ft is therefore 
meaningful to extend the notion of weakest precondition accordingly. 

Definition 4.3. Let T and S be constraint theories and M : (V\, ...,T> n ) — > V 
a mapping where V, T >\, ..., V n are databases. E is a weakest precondition of T 
with respect to M whenever (D i U ... U D n ){E) = D(T) for any database states 
D,D 1 ,...,D n in X>, Hr,.. 

The notions of CWP and OCWP can be extended in a similar way. We imme- 
diately have the extension of theorem 3.1 and proposition 3.1, where the word 
“operation” can be used instead of “update”. 

In definition 3.12 we implicitly assumed that the argument of Simp was both 
the theory to be simplified and the condition known to hold prior to the opera- 
tion; it is now useful to extend the notation as follows. 
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Definition 4.4. For two constraint theories r, A and an operation O, we define 

Simpj(T) = Optimize^ (After 0 (F)). 

Proposition 3.2 can immediately be generalized as follows. 

Proposition 4.1. Let r, A be constraint theories and O an operation. Then 
Simp^P) is a A-OCWP of T with respect to O. 

The notation Simp f/ (T) of definition 3.12, U an update, can therefore be consid- 
ered as a shorthand for Simp^(T). Examples of the application of these extended 
versions of the operators are shown in the next sections. 



4.2 Consistent Views on Inconsistent States 

When the information contained in the source databases is conflicting with the 
global requirements and the sources cannot be modified, it is possible to repair 
inconsistencies by maintaining a virtual database of exceptions T>e at the global 
level. Suppose sources V i, ...,V n are given and the global database T> is defined 
via a mapping M : (T >±, .... T> n ) V. Let T>e' s signature contain for each predi- 
cate p in T> two predicates and p- of the same arity, the former representing 
the tuples that should be in p but are not, the latter those that should not be 
in p but are. The consistent global database T>c can then be thought of as a 
combination of T>e and T> that contains a predicate pc for every predicate p in 
V, as defined in the mapping Me : (V,T>e) —t Pc by the following entries: 

pc{x) «- p{x) A ~>p-(x), 
p c (x) i-p + (x). 

In order to identify suitable p + and to re-establish consistency, an abductive 
algorithm can be integrated with the procedure for evaluating the simplified 
integrity constraints. A full treatment of this topic is outside the scope of this 
paper; see, e.g., [15,19] for an overview of abductive methods. Applications of 
abduction to database repair that fit our model are described in [2,4]. 

5 Integrity Constraints under Global-as-View 

In a global-centric approach it is required that the global schema is expressed in 
terms of the sources. The global predicates must be associated with views over 
the sources: this is exactly what the notion of mapping makes precise, as stated 
in definition 4.1. A mapping containing entries for all global predicates is called 
a GaV-mapping. 

We start our analysis by considering a borderline case of GaV-mapping con- 
sisting of the combination of two 1 databases having the same signature and 
constraint theory. Let Si, S 2 , S be three disjoint database signatures that are 

1 The case with more than two sources is similar. 
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identical up to consistent renaming of predicates and A, A and r the constraint 
theories (also identical up to renaming) defined at the sources and the mediator, 
respectively. The global database state consists of the union of the local ones 
and the mapping M used for the combination is defined as a set containing, for 
every predicate p in S, the entries: 

p{x) 4-pi(x), 
p{x) 4- p 2 (x), 

where x is a sequence of variables and p \ , p 2 are the predicates corresponding 
to p in Si, S 2 , respectively. A simplified test for checking that the combined 
database is consistent with T is then given by Simp// Ar2 (n- 

Example 5.1. Let us refer to example 3.2 and consider two sources V\ = 
(Si,ri,Di), V 2 — (S 2 , r 2 , D 2 ) and a mediator V = (S', A-D) with signatures 2 
S\ = {mi/2}, S 2 = { 7712 / 2 }, S = {tti/ 2} and the following integrity constraints: 

r = 4 — m(x, y) A m(x, z) Ay ^ z, 

A = mi(x,y) A mi(x,z) Ay^z, 
r 2 = 4- m. 2 (x, y) A m 2 (x, z) Ay ^ z. 

Di, D 2 are consistent database states and D is their combination, as expressed 
by the mapping: M = {m(x,y) 4 — mi(x,y), m(x,y) 4 — m 2 {x,y)}. We have: 

After M (r) = { 4 - (mi(x,y) V m 2 {x,y)) A 

(mi(x, z) V m 2 (x, z)) Ay ^ z} = 

= After M (r) = { 4 — mi(x, y) A TOi(x, z) A y ^ z, 

<- mi(x,y) A m 2 (x,z) Ay ^ z, 

A- 777 2 (x, y) A 777-2 (x, Z) A 7/ / 2 } 

The only check that is needed is, as expected, a cross-check between the two 
databases, as the other denials are removed by Optimize: 

Sim PAAr 2 (-0 = { A- 777-1 (x, y) A m 2 (x,z) Ay ^ z }. 

We can get even better results when extra knowledge concerning the com- 
bination of the sources is available. This simply amounts to adding the extra 
knowledge to the conditions in the subscript of Simp. 

Example 5.2. Consider example 5.1, where we have now the knowledge A, 2 that 
the data concerning the husbands in the two databases are disjoint: 

A, 2 = mi (x, y) A ?77 2 (x, z). 

A much stronger simplification is obtained now, as 

Si m Pj\ A r 2A r li2 (-0 = ^ue. 

The cross-check that was found in example 5.1 is subsumed by A, 2 and thus 
discarded, so no check is needed, as the combined state will anyhow be consistent. 

2 As usual, predicate signatures are indicated as name/arity. 
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When the mapping is arbitrary, the method can be applied in a similar way. 

Example 5.3. We consider a data integration problem inspired by Levy [20] but 
here extended with global and local integrity constraints. Suppose we have two 
sources containing information about movies. We use the variables i, t, y and r for 
movie identifiers, titles, years and reviews respectively. The first source contains 
movies m(i,t,y), where i is key, whereas the second contains reviews r(i,r). 
Furthermore, we know that the identifiers in r are a subset of the identifiers 
in m. The mediator assembles this information in a relation r) (film), as 

defined by the following GaV-mapping: 

M = {/(*) t, r) <- m(i, t, y) A r(i, r)}. 

The following conditions are therefore known to hold on the ensemble of sources: 

A = { <- m(i,ti,yi) A m(i,t 2 ,y 2 ) Ah/ t 2 , 

<- m(i,ti,yi) A m(i,t 2 ,y 2 ) A yi ^ y 2 }, 

A, 2 = ■f— r(i,r) A t, y). 

Let r express the fact that i is a primary key for /: 



r = { f- f(i,ti,n) A f(i,t 2 ,r 2 ) Ah ^ t 2 , 
f(i,h,ri) A f(i,t 2 ,r 2 ) An/ r 2 }. 

In order to check whether T holds globally, we proceed as follows. 

After"' 1 (T) = { «- m(i, h,yi) A r(«, ri) A m(i, t 2 , 2/2) A r(i, r 2 ) Afi/ t 2 , 
m(i, ii, 2 / 1 ) A r(i, n) A m(i, t 2 , y 2 ) A r(i, r 2 ) Ap/ r 2 }. 

The first constraint is obviously subsumed by the first constraint in A & n d the 
second one can be simplified with A, 2 > which gives the following: 

Simper, , 2 (A = {<- r{i, n) A r(i, r 2 ) An / r 2 }, 

which evidently corresponds to the fact that i must be a key for r as well. 

6 Integrity Constraints under Local-as-View 

A LaV-mapping is usually understood as a set of views of source predicates over 
global predicates. From now on with the word LaV-view we will refer to a formula 
of the form A — > B, where A is an atom (the antecedent), B a conjunction 
of atoms (the consequents) and universal quantification at the outmost level 
is understood for all variables. A LaV-view A — > B is safe whenever all the 
variables in B appear in A as well. A set of safe LaV-views is called a safe LaV- 
mapping. Given a safe 3 LaV-mapping, and assuming it is sound as discussed in 
section 4, we can always rewrite it as an equivalent mapping. This is shown in 



3 



Safeness is used to avoid skolemization. 
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the following examples and can be done by using the fact that, with safeness, 
whenever A — > AiA...AA n , then A\ 4— A and ... and A n 4 — A , where A , A 1 , ..., A n 
are atoms, and perhaps by adding some equalities in the bodies in order to have 
only distinct variables in the heads. Note that in general a LaV-mapping is not 
necessarily a mapping in the sense of definition 4.1. 

Example 6.1. Reconsider the scenario discussed in example 5.1. The global 
database combines now two sources where in the first one the husbands are 
Italian, and in the second one Danish, which is expressed by the LaV-mapping 
L = {m\{x,y) — > m(x,y) A n(x,it), m 2 {x,y) — > m(x,y) A n(x,dk)}, where in 
and n are global predicates. An equivalent mapping is as follows: 

M l = { m(x,y) <r- m\(x,y), 

n(x, z) 4— mi(x, y) A z = it , 

m(x, y) <s- m 2 (x,y), 

n(x, z) 4— m 2 (x, y) A z = dk}. 

We note that, given the local no-bigamist assumptions Pi and r 2 , the simpli- 
fication of uniqueness of nationality Simp^f^ r2 (<— n(x,y) A n{x,z) A y ^ z) = 
4— m i(x, y) A m 2 (x, z) corresponds to the disjointness of mi and m 2 . 

Example 6.2. This example is also inspired by Levy ([20]) and extended with 
global and local integrity constraints. The global database integrates three dif- 
ferent sources that provide information about movies. We use the variables t, 
y, d and g for movie titles, years, directors, and genres respectively. The global 
predicates are m(t,y,d,g), representing a given movie, and d(d) 1 i(d), a(d), . ■ ., 
representing nationalities of directors, here Danish, Italian, American, etc. The 
following integrity constraints are assumed: a key constraint on m ( t,y is key), 
a domain constraint on film genre, and uniqueness of nationality. Underlines are 
used as anonymous variables a la Prolog for ease of notation. 

r = { 4- m(t,y,d 1 ,d) A m(t,y,d 2 ,-) Adi / d 2 , 
m(t, y, _, gi) A m(t, y, _, g 2 ) A gi ^ g 2 , 

4— m(_, _, g) A g ^ comedy A j ^ drama A ■ ■ ■ , 

4— d(d) A i(d), 

4— d(d) A a(d), 

•••}. 



There are three source databases. The first one contains American comedies 
given as m\(t,y,d) with t,y as key and a LaV-mapping as follows. 

A = 4- mi(t,y,di) A mi{t,y,d 2 ) Ad x ^d 2 
L\ = {mi(t, y , d) —> m(t, y , d , comedy ) A a(d)}. 

The second source contains Danish movies only, with a key constraint r 2 on t, y 
as usual and the following LaV-view. 

L 2 = {m 2 (t,y,d,g) -> m(t,y,d,g) A d(d)}. 
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The third source is a general list of movies with predicates similar to the global 
ones (m 3 , d 3 , i 3 , a 3 etc.) and with similar integrity constraints r 3 . The LaV- 
views are specified as follows. 

L 3 = { m 3 (t, y,d,g) —> m(t,y,d,g), 

d 3 (d) -»• d(d), 

...} 

As Li U L 2 U L 3 is safe we can rewrite it as the following mapping . 4 

M = { m(t,y,d, g) 4 — mi (t,y,d) A g = comedy , 
m(t,y,d,g) 4- m 2 (t,y,d,g), 
m(t,y,d,g) 4 - m 3 (t,y,d,g), 
a(d) 4- TOi(_, ,,d). 
d(d) 4- m 2 (_, _,d, _), 
a(d) 4 a 3 (d), 

d(d) 4- d 3 (d), 

i{d) 4 - i 3 (d), 

...} 

The simplified integrity constraints for the integration of the three databases, 
given as E = Simp^f Ar 2 AJ -. 3 (T), are, as expected, simplified rules covering possi- 
ble conflicts in cross combinations only, as local consistency is assumed. 

S = {<r- m i(_, _, d) A m 2 (_, d, _), 

4— m i(_, _, d) A P 3 (d), (p any nationality pred. different from a) 

4— m 2 (_, _, d , _) A P 3 (d), (p any nationality pred. different from d) 
mi(f,!/,.)Am 2 (f,!/,.,.), 

4 ^ mi(t,y,di) Am 3 (t,y,d 2 ,-) Adi ^ d 2 , 

<- m 2 (t,y,di,-) A m 3 (t,y,d 2 ,_) A d\ ± d 2 , 

<- mi{t,y, _) A m 3 (t,y , -,g) Ag^ comedy , 

•f— m 2 (t, y, _, (?i) A m 3 {t,y'fy,g 2 ) A gi ^ g 2 , 

4- m 2 (_, _,g) Ag^ comedy A g / drama A ■ ■ ■}. 

The example can be changed a bit assuming that the third source is an unchecked 
database to which enthusiastic amateurs can add arbitrary information, which 
is not unrealistic in case of the world wide web. In that case, the simplified 
constraints include also a copy of the full set of global constraints with predicate 
names m 3 , a 3 , etc. 



7 Absorption of Local Updates 

A data integration system needs to be able to adjust itself dynamically as sources 
are updated over time. We assume that source databases maintain their own 
consistency and that reports about which updates have been performed are 

4 If, say, in mi the genre was left unspecified, skolemization would be needed. 
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available at the global level; this may be supplied by the source administrator 
or generated by a process monitoring the sources. Consistency needs then to be 
checked globally. This problem, that we refer to as absorption of local updates, 
can be handled in an optimal way as described in the following proposition. 

Proposition 7.1. Given n sources with database states D it 1 < i < n, a me- 
diator ( S , r, D) obtained with mapping M and a set of conditions A holding in 
Dg = £>iU...U£>„, let £ = Simp^ f (T) hold in D, U be an update for D$ and D u 
the state at the mediator after the update. Then D u (T) = Ds(PostSimp ,7 (I7)). 

Note that the condition expressed by PostSimp f (£) is optimal in the sense of 
proposition 3.4. 

Example 7.1. In example 5.1, the following integrity constraint was generated 
for the integration of two sources referred to by predicates mi and m 2 : 

£ = 4 — mi(x, y) A m^{x, z) f\y ^ z. 

If the update mi (a, b) is reported, the optimal way to check the global consis- 
tency is to test PostSimp f (V) = 7712 ( 0 , z) A b ^ z on the updated state. 

Example 7.2. Consider £ from the LaV integrated movie database of exam- 
ple 6.2 and assume that the second source reports the addition of a new movie 

U = {m 2 ( “Dogville”, 2003, “von Trier '’ , drama)} . 

The following tests, calculated as PostSimp f/ (V), remain: 

{ 4 — m 1 (_, _, “von Trier”), 

4— P 3 ( “von Trier”), (p any nationality pred. different from d) 

4 - mi( “Dogville”, 2003, ), 

m^l “Dogville”, 2003, d, _) A d ^ “von Trier”, 

4r- “Dogville”, 2003, _, g) A g ^ drama}. 

8 Conclusion 

We revisited simplification techniques for integrity constraints and applied them 
to the problem of consistency checking in a data integration setting. Examples 
were discussed that showed that the described method lends itself well to both 
the LaV and GaV approaches and is useful for the problem of update absorption. 

The novelty of this approach mainly consists of two aspects: firstly, the reuse 
of a simplification framework that was initially conceived for a single database 
and, secondly, the characterization of the semantic notions involved in the com- 
bined case that underlie the optimality of the method. 

The treatment of cases that require skolemization when converting LaV- 
mappings to mappings has not been attempted in this paper. Future directions 
include the investigation of new strategies, if needed, that deal with such cases 
as well as the extension of the method to situations where the mapping is not 
sound, but exact or complete. 
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Abstract. We will consider the following problem in this paper: 

Assume there are n numeric data {xi,X 2 , • • • , Xn} (like salaries of n indi- 
viduals) stored in a database and some subsums of these numbers are dis- 
closed by making public or just available for persons not eligible to learn 
the original data. Our motivating question is: at most how many of these 
subsums may be disclosed such that none of the numbers xi, X 2 , ■ ■ ■ , x„ 
can be uniquely determined from these sums. These types of problems 
arise in the cases when certain tasks concerning a database are done by 
subcontractors who are not eligible to learn the elements of the database, 
but naturally should be given some data to fulfill there task. In database 
theory such examples are called statistical databases as they are used for 
statistical purposes and no individual data are supposed to be obtained 
using a restricted list of SUM queries. This problem was originally in- 
troduced by Chin and Ozsoyoglu [1], originally solved by Miller et al. [5] 
and revisited by Griggs [4]. 

It turned out [5] that the problem is equivalent to the following question: 

If there are n real, non-zero numbers A' = {xi, * 2 , ■ ■ • , x n } given, what is 
the maximum number of 0 subsums of it, that is, what is the maximum 
number of the subsets of X whose elements sum up to 0. This approach, 
together with the Sperner theorem shows that no more than („/ 2 ) su ^“ 
sums of a given set of secure data may be disclosed without disclosing 
at least one of the data, which upper bound is sharp as well. 

However, it is natural to assume that the disclosed subsums of the orig- 
inal elements of the database will contain only a limited number of el- 
ements, say at most k (in the applications databases are usually huge, 
while the number of operations is in most of the cases limited). We have 
now the same question: at most how many of these subsums of at most k 
members may be given such that none of the numbers xi, X 2 , ■ ■ ■ , x n can 
be uniquely determined from these sums. The main result of this paper 
gives an upper bound on this number, which turns out to be sharp if we 
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allow subsums of only k or k — 1 members and asymptotically sharp in 
case of subsums of at most k members. 



1 Introduction 

The security of statistical databases has been studied for a long time. In this 
case the database is only used to obtain statistical information and therefore no 
individual data is supposed to be obtained as a result of the performed queries. 
Of course, the user is not allowed to query individual records, still, using only 
statistical types of queries, it might be possible to make inferences about the 
individual records. Several authors investigated earlier the possibility of intro- 
ducing restriction for the prevention of database compromise, which include data 
and response perturbation, data swapping, random response queries, etc. One of 
the natural restrictions is to allow only SUM queries, that is queries which return 
the sum of the attributes corresponding to a set of individuals characterized by 
characteristic formula. For more detailed explanation of these terms see Denning 
[2,3]. In all of these cases it was assumed and will be assumed throughout of this 
paper as well that outside user or attacker do not have any further information 
about the database, only the answers to the SUM queries (e.g. they don’t know 
about any functional dependencies). 

Chin and Ozsoyoglu [1] introduced an Audit Expert mechanism for the pre- 
vention of database compromise with SUM queries. Later Miller et al. [5] de- 
termined the maximum number of SUM queries for this mechanism, which is 
(» ). For example, in the database below one can ask the sum of the salaries 
of the individuals chosen the same number (i = 0, 1,2,3) of them from both 
of the sets {Bush, Carter, Clinton} and {Johnson, Kennedy, Nixon, Reagan}. 
In such a way one will chose (p) x (p) + (J) x (^) + ) x (^) + ( 3 ) x ( 3 ) = 

1 + 3x4 + 3x6 + 1x4 = 35= (3) queries. Clearly, the given database and the 
one obtained from this one by lowering the salaries of {Bush, Carter, Clinton} by 
1000 and increasing the salaries of {Johnson, Kennedy, Nixon, Reagan} by 1000 
will give exactly the same answer to these queries and therefore no individual 
salary can be exactly calculated from this set of questions. 



Table 1. Sample Database 



Name 


Salary 


Bush 


250000 


Carter 


180000 


Clinton 


220000 


Johnson 


120000 


Kennedy 


100000 


Nixon 


140000 


Reagan 


160000 
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A natural restriction of the above question is the restriction of the size of the 
SUM queries, that is assuming that the sums may involve at most or exactly k 
members. E.g., if in the above database we only consider SUM queries summing 
up 3 data, a possible scheme of them without compromising the database is to ask 
the some of the salaries of 3 gentlemen, two chosen from the set {Bush, Carter, 
Clinton, Johnson, Kennedy} and one from the set {Nixon, Reagan}. Therefore 
altogether (®) x (J) = 20 queries are made, and, again, by increasing the salaries 
of {Bush, Carter, Clinton, Johnson, Kennedy} and decreasing the salaries of 
{Nixon, Reagan} with the double of that amount shows that no individual data 
can be gained from this set of statistical queries. 

The main results of the recent paper, presented is Section 3, Theorems 3.1 and 
3.2 answer the questions about the maximal possible SUM queries when either 
only a given number of data can be summed any time or when the number of 
the data involved in any SUM queries is bounded above. The first question is 
solved completely — that is a construction of the possible sequence of queries, 
the number of them equal to the obtained upper bound, is given — assuming 
(what can be quite natural in the real use of databases) that the number of 
records is much larger then the allowed number of them in the SUM queries. 
The second case is answered asymptotically. 

In Section 2 we will carry on a sequence of transformations of the original 
questions, most of the repeated (or simply referred to) the transformations done 
by Chin and Ozsoyoglu [1] and Miller et al. [5,6] to formulate the exact math- 
ematical questions to be solved in Section 3. In Section 4, we will draw the 
conclusions to answer the original statistical database questions. 



2 Deriving the Mathematical Problems 



Let us be given n real numbers {x\,x 2 , ■ ■ ■ ,x n } (like salaries of n individuals 
in the sample database) stored in a database. A possible SUM query is to ask 
yy 4 Xi for some A C X = {1, 2,3,..., n} and we would like to maximize the 
number of these queries (maybe with some other side constraints) such that 
they will not determine any of the original data Xi s. That is we would like to 
give a sequence of subsets of X, A = {A\, A 2 , . . . , A m }, maximize m, such that 
the sums x^ : 1 < j < mj do not determine any of the Xi s. We will 

only consider restricted type of attacks, that is methods to calculate the values 
of Xi s from the known sums, namely linear combinations. However, the upper 
bound proven for this restricted type of attacks will turn out to be sharp for 
the general case as well. In Section 4 we will give constructions of databases 
together with the sequence of SUM queries such that their number will be equal 
to the obtained maximum (if we only assume linear combination attacks) and 
the different databases (all individual data will be pairwise different) will both 
give the same answer to these SUM queries. 

To formulate the problem in another, for our investigation more suitable way, 
consider the n dimensional vector space over the real numbers, R", and the unit 
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vectors e* = (0, 0, • • • , 1, • • • , 0}, * = 1, 2, . . . , n. Denote the characteristic vectors 
of the subsets Aj by v.j, that is v.j = (v.a,Vi 2 i ■ ■ ■ , fy, . . . Wj„), where Vij = 1 iff 
Xj £ Ai, 0 otherwise. With this setting, we are looking for the maximum number 
of Vj’s such that none of the unit vectors e, ’s are in (vi, v 2 , . . . , v m ), the subspace 
spanned by the m characteristic vectors of the subsets determining the members 
of the subsums. This can easily be seen with the following straightforward lemma. 



Lemma 2.1 Let x denote the vector {xi, X 2 , ■ ■ ■ , x n } and for given sequence 
of SUM queries with characteristic vectors vi, V 2 , . . - , v m consider the vectors 
v where the value vx, the scalar product of the two vectors v and x, can be 
calculated from the values VjX, that is, vx is uniquely determined by the two 
vectors v and x. Then these vectors will form a subspace of the original vector 
space equal to (vi, V 2 , . . . , v m ). □ 

From now on, instead of the sequence of the SUM queries we will consider 
the subspace spanned by the characteristic vectors. Any question regarding the 
maximum number of queries with certain property is equivalent to the ques- 
tion of the maximum number of the (0, l)-vectors (with the additional required 
properties) of the subspace not containing any of the unit vectors. 

The following further reduction steps of the problem are originally due to 
Chin and Ozsoyoglu [1], 

Lemma 2.2 (Chin and Ozsoyoglu [1]) If V C R n , e* 0 V 1 < i < n, 

dimV < (n — 1), then there is a W D V such that dimW = n — 1, e* ^ W 
1 < i < n. □ 

Since any n (full) dimensional space would contain all unit vectors e, ; , and 
by the lemma above — all at most n — 1 dimensional spaces will be contained by 
an exactly n — 1 dimensional space having the required property, we may assume 
that the subspace giving the maximum possible number of allowed queries is n— 1 
dimensional. Take the matrix of a basis of this subspace and bring it to it normal 
form 

1 0 • • • 0 «i 

0 1 • • • 0 a 2 

0 0 • • • 1 a n -\ 

where none of the afs are equal to 0 due to the fact that the unit vectors are 
not in the subspace. 

The subspace spanned by the characteristic vectors of the allowed SUM 
queries is also spanned by the rows of this matrix. Therefore all of these charac- 
teristic vectors are in the subspace spanned by the rows of the matrix. On the 
other hand, all the 0, 1 vectors being in the subspace spanned by the rows of the 
matrix do determine a SUM query and (if they satisfy the further assumptions, 
like the number of l’s is k or at most k) they are allowed, that is the set of them 
will not compromise the database. 
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It is easy to see that the only linear combinations of the rows of this matrix 
yielding (0, l)-vectors are those with coefficients 0, 1. Any such linear combi- 
nation will be a 0,1 vector if and only if the sum X) a i over all i where the 
corresponding coefficient is 1 is either 0 or 1. Therefore, we have to maxi- 
mize the number of sums XXe. 4 a * = 0 or 1 where the A's are subsets of 
[n — 1] = {1,2 , ...,n — 1}. Let us introduce a n = —1 and now consider the 
sums = o where the B’s are subsets of [n] = {1,2, Naturally, 

there is a one-to-one correspondence between these two sets of sums. Therefore, 
our original question 

Problem 2.3 Determine the maximum possible number of SUM queries over a 
set of n records without compromising the database. 

is now reduced to the following one: 

Problem 2.4 Given a set ofn real numbers {ai, 02 , . . . , a n }, none of them being 
equal to 0, determine the maximum number of sums XX g ,B a, = 0 where the B ’s 
are subsets of [n\ = {1,2, ... ,n}. 

Further, if we assume that the number of elements in the SUM queries are 
restricted by a size constraint (like at most or exactly k element subsets are only 
considered), the same restriction will apply to the sums in Problem 2.4. 

In Problem 2.4 we omitted the assumption that a n = — 1 since any set of n 
non-zero real numbers {j/i, V 2 -, ■ ■ ■ > Vn} can be normalized (simply each of them 
multiplied by the same non-zero number) such that for the resulting vector 
{xi,x 2 , • • ■ ,x n } we will have x n = —1 and the set (and therefore the number) 
of zero sums naturally will not change. 

Now consider the set of real numbers {a\, 02 , . . . , a„} and the system of 
subsets of the indices X = {1, 2, ... , n}, B = {Bi,B 2 , ■ ■ . , B m } such that the 
sums XXgb ai are *-*• Let Xi be the set of indices of the positive afs and 
X 2 be the set of the indices of the negative afs. Since none of the af s are zero, 
X = Xi U X 2 is a partition of the set X. If we consider two sets B\ and B 2 
from the set B, then since XXeBi a * = 12, gb 2 a » = we liave XXgBi-b 2 ai = 
— XXgBi[-ib 2 a * = 12i^B 2 -B 1 a i an d therefore the sums at the two ends of this 
system of equations are equal and so have the same sign. Therefore, it is not 
possible that Bi — B 2 C X\ and B 2 — Bi C X 2 at the same time. 

Definition 2.5 Let X = X\ U X 2 be a partition of the finite set X and F and 
G two subsets of X. We say that F and G are separated by the partition if 
F — G C Xi and G — F C X 2 does not happen at the same time. 

We also know that all of the sets Bi have the property Bi (~l X\ ^ 0 and 
Bi n X 2 ^ 0, since sum of only negative or only positive numbers may not be 
equal to zero. 

Definition 2.6 We say that the family T of subsets of the finite set X = XiUX 2 
(Xi fl X 2 = 0, X\ ^ 0, X 2 ^ 0) is difference separated (with respect to the 
partition X\ U X 2 ) if F — G and G — F are separated by the partition for every 
pair F, G of distinct members of T and F fl X\ / 0,fT I X 2 ^ 0 holds for each 
member. 
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We know by now that for any set of SUM queries not compromising the 
database we can find a set of a set of n real non-zero numbers {ai, < 22 , . . . ,a n }, 
such that the subsets of indices indices X = {1, 2, ... , ?r}, B = {B 1 , B 2 , . . . , B m } 
for which the sums ^2 ieB <:ii are 0 do correspond to the SUM queries, on one 
side, and form a difference separated family of subsets on the other side. That 
is, any upper bound on the size of difference separated families (in our case of 
subsets of given sizes) will give an upper bound on the possible number of SUM 
queries not compromising the database. In the next section we will derive such 
upper bounds, while in the last section — Conclusions — with giving specific 
examples we will also show that this bounds are sharp not only for the size of 
the difference separated families but for the number of SUM queries as well. 



3 The Main Mathematical Theorems 



Theorem 3.1 Let 0 < k,n be fixed even integers, ng(k) < n, that is n is large 
relative to k. Let further X be an n- element set with partition X = Xi U X 2 
where X\,X 2 yf 0. Suppose that T is a difference separated family (with respect 
to X\ U X 2 ) of subsets of size k and k — 1. Then 



\T\ < M(n, k) = 



(ra+l)(fc-l) 

k 



k 



Theorem 3.2 Let 0 < k,n be fixed even integers, nffk) < n, that is n is large 
relative to k. Let further X be an n- element set with partition X = Xi U X 2 
where Xl, A 2 0. Suppose that T is a difference separated family (with respect 
to X\ U X 2 ) of subsets of size at most k. Then 

\T\ < M (n, k) + M(n, k-2) + M(n, k - 4) + . . . . 

Remark. Theorem 3.1 is sharp, since choosing X\ to have ( ra + 1 K fc ~ 1 ) j elements 
and taking all k — 1-element subsets of Xi combining them with all possible 1- 
element sets in X 2 , the number of sets will be exactly M(n,k). On the other 
hand this construction obviously satisfies the conditions. Theorem 3.2, however is 
not necessarily sharp, since the obvious generalization of the construction above 
does not always work. It is, however, asymptotically sharp, since M(n, k — 2) + 
M(n,k — 4) + . . . = 0(n k ~ 3 ) while M (n, k) is of order k — 1. 

The proof will be given by a sequence of lemmas. 

Assume that a cyclic ordering is fixed both in and X 2 . We say that the 
pair ( A,B ) of subsets A C Xi,5 C I 2 is an ( a,b)-interval-pair if A and B 
are intervals in the respective X and |A| = a, \B\ = b. The middle pair of the 
(a, &)-interval-pair (A, B) is (x,y) where x is the Ln^Jth element of A and y is 
the L^srJth element of B. 

Lemma 3.3 Suppose that ( A,B ) and ( C,D ) are ( a,b ) and (c,d) -interval-pairs, 
respectively, where a + b = c + d ( a,b,c,d are positive integers). If their middle 
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pairs coincide then either AU B ~ C Li D C Xi and C U B — A Li B C X 2 or 
Al) B - C U D C X 2 and C U B - AU B C X 1 hold. 

Proof. It is easy to see that if c < a then C C A. The inequality d > h is a 
consequence, this implies B C D. Hence we have A U B — C U D C X± and 
C U B — Au B c X 2 . The case c > a is analogous. □ 

Lemma 3.4 Suppose that (A,B) and ( C,D ) are ( a,b ) and (c,d) -interval-pairs, 
respectively, where a+b = c+d± 1 ( a,b,c,d are positive integers). If their middle 
pairs coincide then either AU B ~ C Li D C X± and CUB-iUB C X 2 or 
Al) B - C l) D C X 2 and CU B - AU B C Xi hold. 

Proof. The previous proof can be repeated. □ 

Lemma 3.5 Let Q be a family of difference separated intervals with respect to 
Xi U X 2 with members of size j — 1 and j (2 < j). Then \Q\ < n\n 2 holds. 

Proof. The members of Q must have different middle pairs by Lemmas 3.2 and 
3.3. The number of possible middle pairs is n\n 2 . □ 

Introduce the following definition: 



M (m , n 2 \ k) = max ^ ^ ( 2 ) 

where the maximum is taken for all 0 < i < ni, 0 < j < n 2 , i + j = k. 

Lemma 3.6 Let X = X\ U X 2 , X\ (~l X 2 = 0, |Xi| = m, \X 2 \ = n 2 . If T is a 
family of difference separated sets of sizes l and I — 1 then 

\T\<M{n u n 2 ff) (3) 



holds. 

Proof. The number of four-tuples (Ci,C 2 , A , B) will be counted in two different 
ways, where C,; is a cyclic permutation of X t [i = 1, 2), A = F fl X\ and B = 
F D X 2 holds for some F £ T and they form an interval-pair for these cyclic 
permutations. 

Let first fix A and B and count the number of cyclic permutations where they 
are intervals. C\ can be chosen in |H|!(ni — |H|)! many ways, the same applies 
for B , therefore the number of four-tuples is 

J2\mni~\A\)\\B\l(n 2 -\B\y. (4) 

where the summation is taken for all A = F fl Xi, B = F fl X 2 , F € T. 

Fix now the cyclic permutations. The subfamily of T consisting of the 
interval-pairs for these permutations will be denoted by Q . It is a family of differ- 
ence separated intervals. The application of Lemma 3.4 gives that the numbers 
of pairs A, B for any given pair of cyclic permutations is at most n\n 2 . Since 
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the number of permutations is (ni — l)!(n 2 — 1)!, the number of four-tuples in 
question is at most ni!n 2 !. Compare it with (4): 

F, |A|!(m - |A|)!|.B|!(n 2 - |B|)! < ni!n 2 !. 

Elementary operations lead to 

1 



5Z (n 1 \(n 2 \ — ^ 



( 5 ) 



where A = FC\X±,B = F flX 2 , 0 < |A| < ni,0 < \B\ < n 2 , |A| + |H| = £ ov £—1. 
Since M(m, n 2 ; £ — 1) < M(m,n 2 ; £) holds, by the definition of M(m, n 2 ; £) (5) 
implies 

' y i <i 

M(ni,n 2 -,£) 

proving (3) . □ 

Lemma 3.7 Suppose 1 < i < £ < n, l — i < n — n\. Then 



n\\ n — n\ 



< 



(n+l)i 

i 



n — 



(n+l)i 

l 



1 J \£~i J \ i ) \ £-i 

Proof. Compare two consecutive expressions: 



ni \ ( n — n{\ /ni + 1\ fn — n\ — 1 

t-i ) ~ V i /V t-i 



* / V «-* / V * 

After carrying out the possible cancellations 



n — n\ 



< 



n — n\ — 

is obtained what is equivalent to 



ni + 1 < 



ni + 1 

% n\ — * + 1 
(n + 1 )i 



Hence 



' n\ \ fn — n\ 
i )\£-i 

takes on its maximum (with fixed i and £) at 

(n + 1 )i 



Lemma 3.8 Suppose 0< — 1. If uq(£) < n then 



(n+l)i 

t 

i 



n — 



(ra+l)i 



< 



(n + l)(i+l) 

f J 

(i + 1) 



n — 



(n+l)(»+l) I 

* J 

— i — 1 
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Proof. After carrying out the possible cancellations, 



(n- 


(n+l)i \ 

[ i })■■■ 


(n — 


(n+l)(»+l)J | 


(£-i)[ 


("+!)' 

e 


! J-<) 



(n+l)(i+l) 



+ 1 ) 



(* + 1) (n - 



(n+l)(i+l) _ (+i+1 



is obtained what is equivalent to 



i 71 - 


(n+l)i 

l 


) 


1 ... 1 


{n 


- 


(n+l)(i+l) 

l 






(n+l)(i+l) 

i 


•••I 


; 


(n+ l)i 
i 







{£-i)\ 


; 


(n+l)i 

l 


_i ) 


1 


(< + l)l 


( n — 


(n+l)(i+l) 

l 


-£ + i + l^j 



( 6 ) 



Consider the left hand side as a product of quotients: the quotient of the first 
factors, the second factors, etc., in the numerator and the denominator, respec- 
tively. The first of these quotients is the largest one, it is less than 1, their number 
is at least Therefore the left hand side in (6) can be replaced by 



/ n — 


(n+l)i 

i 


h 


11 


| (n+l)(i+l) | 


) 


L 


1 \ 



ra + 1 
l 



A further increase is 



n 



+ 1 f (i-i 



(u+iKj+i) 



i + 1 



Here £ — i < i + 1 by the assumption of the lemma, therefore the left hand side 
of (6) tends exponentially to 0 when n tends to infinity. On the other hand, the 
right hand side of (6) tends to 

(£ — i)i 

proving the inequality. □ 

Remark. This lemma seems to be true for small values of n, too, we have 
technical difficulties to prove it. 

Proof of Theorem 3.1. By Lemma 3.6 \T\ cannot exceed the largest prod- 
uct ("!) ("jT" 1 ) where 1 < ti\ < n, 1 < i < ti\, 1 < k — i < n — ni. By symmetry 
| < i can be supposed. Lemma 3.7 gives the best n\. This upper estimate in 
Lemma 3.7 can be increased by Lemma 3.8 until we arrive to the largest possible 
value of i: £ — 1. This is the desired upper estimate. □ 

Proof of Theorem 3.2. Apply Theorem 3.1 with k, k 2. k — 4, . . . and sum 
the obtained upper estimates. □ 
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4 Conclusion 



By the argument of Section 2 and the results of Section 3, if rio(fc) < n, at 
most M(n, k ) (see (1) for exact value) SUM queries of size k can be asked about 
a set of data x\, X 2 , • ■ • x n without disclosing at least one of the values Xi. On 
the other hand, this bound is not only sharp for the mathematical questions 
asked in the previous section, but also for the original problem. Assume n equal 



real numbers divided into two parts: B\ of size 



(n+l)(fc-l) 

k 



and Bo of size 



(ra+l)(fc-l) 
k 



-J j . Take all subsums of this numbers of k elements such that 
k — 1 are chosen from set B\ and 1 from set B 2 . Now increase all of the elements 
of B\ by 1 and decrease all of the elements of B 2 by k — 1 (assume that originally 
the common value was not —1 neither fc — 1) and take exactly the same subsums. 
The answers to these queries are the same in both of cases, that is these answers 
do not disclose any of the values xfs. 

It is also interesting to mention that the bound M(n, k) is only constant time 
smaller than the absolute upper bound (?) for the number of SUM queries of size 

fc, and much bigger than the somewhat more general solution of (^ 2 ) > which is 

y/k time smaller than ()() . One can get a construction yielding the bound 

simply using the above method but dividing the set of the values into two equal 
size subsets and picking always the same number of elements from both sides. 
For example, if n = 20 and k = 10, then (£) = 184756, M(n,k) = 97240 and 

0 2 = 63504. 

The bound for the case when the SUM queries may have any number of el- 
ements less than or equal to k is most probably not sharp. At the same time, 
similar to the case in the mathematical theorem, an asymptotically good con- 
struction can be given simply taking the above construction for the case when 
all sums have exactly k elements (see Remark after Theorem 3.2.) 
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Abstract. Ordered Choice Logic Programming (OCLP) allows for dynamic pre- 
ference-based decision-making with multiple alternatives without the need for any 
form of negation. This complete absence of negation does not weaken the language 
as both forms (classical and as-failure) can be intuitively simulated in the language 
and eliminated using a simple pre-processor, making it also an easy language 
for users less familiar with logic programming. The semantics of the language 
is based on the preference between alternatives, yielding both a skeptical and a 
credulous approach. In this paper we demonstrate how OCLPs can be translated 
to semi-negative logic programs such that, depending on the transformation, the 
answer sets of the latter correspond with the skeptical/credulous answer sets of 
the former. By providing such a mapping, we have a mechanism for implementing 
OCLP using answer set solvers like Smodels or dlv. We end with a discussion of 
the complexity of our system and the reasoning tasks it can perform. 



1 Introduction 

Examining human reasoning, we find that people often use preference, order or defaults 
for making decisions: “I prefer this dish”, “This colour goes better with the interior”, 
“This item costs more”, “In general, the human heart is positioned at the left”. When 
faced with conflicting information, one tends to make decisions that prefer an alternative 
corresponding to more reliable, more complete, more preferred or more specific informa- 
tion. When modelling knowledge or non-monotonic reasoning via computer programs, 
it is only natural to incorporate such mechanisms. 

In recent years several proposals for the explicit representation of preference in logic 
programming formalisms have been put forward. [19,18] are just two examples. 

Systems that support preferences find applications in various domains such as law, 
object orientation, scheduling, model based diagnosis and configuration tasks. However, 
most approaches use preferences only when the models have already been computed, 
i.e. decisions have already been made, or only support preferences between rules with 
opposite (contradictory) consequences, thus statically limiting the number of alternatives 
of a decision. 

* This work was partially funded by the Information Society Technologies programme of the 
European Commission, Future and Emerging technologies under the IST-2001-37004 WASP 
project. 
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We propose a formalism ([16]), called ordered choice logic programming, that en- 
ables one to dynamically reason about situation-dependent decisions involving multiple 
alternatives. The dynamics of this system is demonstrated by the following example. 

Example 1.1. Buying a laptop computer involves a compromise between what is desir- 
able and what is affordable. Take, for example, the choice between a CD, CDRW or 
DVD drive. The CD is the cheaper option. On the other hand, for a laptop, a DVD drive 
may be more useful than a CD writer. If the budget is large enough, one could even buy 
two of the devices. The above information leads one to consider two possible situations. 

- With a smaller budget, a DVD-player is indicated, while 

- with a larger budget, one can order both a DVD-player and a CD-writer. 

To allow this kind of reasoning, a program consists of a (strict) partially ordered set 
of components containing choice rules (rules with exclusive disjunction in the head). 
Information flows from less specific components to the more preferred ones until a con- 
flict among alternatives arises, in which case the most specific one will be favoured. The 
situation becomes less clear when two alternatives are equally valued or are unrelated. 
The decision in this case is very situation dependent: a doctor having a choice between 
two equally effective cures has to make a decision, while you better remain indecisive 
when two of your friends have an argument! To allow both types of intuitive reasoning, 
two semantics are introduced: a credulous and a more skeptical one. 

OCLP provides an elegant and intuitive way of representing and dealing with de- 
cisions. People with little or no experience with non-monotonic reasoning can easily 
relate to it, due to the absence of negation. This absence of negation does not restrict the 
language in any way, as both types (classic and as-failure) can easily be simulated. When 
users insist they can use negation, a simple pre-processor can then be used to remove it 
while maintaining the semantics. 

In computer science, having a nice theory alone is not enough; one also needs to be 
able to apply it. The aim of this paper is to provide the theoretical foundations for an 
implementation. 

In this paper, we investigate the possibility for building an OCLP front-end for 
answer set solvers. Smodels ([20]), developed at Helsinki University of Technology, and 
dlv ([26]), created at the Technical University of Vienna and the University of Calabria 
are currently the most popular ones. An initial implementation build on top of Smodels 
can be obtained from http : / /www . cs .bath, ac .uk/$\sim$mdv/oct/. 

The remainder of this paper is organised as follows: in Section2 we continue with a 
short overview of the basic notions concerning choice logic programming, the language 
behind OCLP. Section 3 focuses on the introduction of OCLP with its skeptical and 
credulous answer set semantics. Section 4 deals with two mapping of OCLPs to semi- 
negative logic programs allowing answer set solvers to work with OCLP. We also take a 
closer look at the complexity of the proposed mappings. These transformations, one for 
each semantics, can then serve as a theoretical model for our front-end. We investigate 
various ways how we could, implementation wise, improve them. Furthermore, we 
introduce an initial implementation, called OCT, which computes both types of answer 
sets on top of Smodels. When explaining the theoretical aspects of both OCLP and 
the mappings we always considered our programs to be grounded. At the end of the 
section, we have a closer look at the technical issues that arise when we extend to 
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the non-grounded case with a finite Herbrand Universe. In Section 6, we investigate 
the complexity and the expressive power of our language. We end this paper with a 
discussion on the relations with other approaches (Section 7) and directions for future 
research (Section 8). 

2 Choice Logic Programming 

Choice logic programs [15] represent decisions by interpreting the head of a rule as an 
exclusive choice between alternatives. 

Formally, a Choice Logic Program [15], CLP for short, is a countable set of rules 
of the form A £- B where A and B are finite sets of ground atoms. Intuitively, atoms 
in A are assumed to be xor’ed together while B is read as a conjunction (note that A 
may be empty, i.e. constraints are allowed). The set A is called the head of the rule 
r, denoted H r , while B is its body, denoted B r . In examples, we use “®” to denote 
exclusive disjunction 1 , while is used to denote conjunction. 

The Herbrand base of a CLP P, denoted Bp, is the set of all atoms that appear in 
P. An interpretation 2 is a subset of Bp. 

A rule r in a CLP is said to be applicable w.r.t. an interpretation I if B r C I. Since we 
are modelling choice, we have that r is applied when r is applicable and 3 \H r n I\ = 1. 
A rule is satisfied if it is applied or not applicable. A model is defined in the usual way as 
a total interpretation that satisfies every rule. A model M is said to be minimal if there 
does not exist a model N such that N C M. 

3 Ordered Choice Logic Programming 

An ordered choice logic program (OCLP) is a collection of choice logic programs, called 
components, which are organised in a strict partial order 4 that represents some preference 
criterion (e.g. specificity, reliability, . . . ). 

Definition 3.1. An Ordered Choice Logic Program, or OCLP, is a pair (C, -<) where C 
is a finite set of choice logic programs, called components, and “~< ” is a strict pointed 
partial order on C. 

For two components Cj , C% £ C, Cj <C‘> implies that C\ is preferred over Cfi ■ 
Throughout the examples, we will often represent an OCLP P by means of a directed 
acyclic graph (dag) in which the nodes represent the components and the arcs the 
relation, where arcs point from smaller (more preferred) to larger (less preferred) com- 
ponents. 

1 The exclusive disjunction used here is stronger than the one used in classic propositional logic. 
Here we assume that a © b © c can only be true iff exactly one atom is true. The same statement 
in classical logic is also true when all three atoms are true. 

2 In this paper we only work with total interpretations: each atom from the Herbrand base is 
either true or false. Bearing this in mind, it suffices to mention only those atoms which can be 
considered true, 

3 For a set A', we use | A'| do denote its cardinality. 

4 A relation R on a set A is a strict partial order iff R is anti-reflexive, anti-symmetric and 
transitive. R is pointed if an element a £ A exists such that aRb for all b £ A. 
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Pi Qcd-rom <— 
P2 Q cd-writer 
P3 Cp dvd-player 

Pi 
Ps 



-rom © cd-writer © dvd.player 1— laptop 



spiall © 1 
dva-play ■_ . 
cd-writer 



larger 

larger 



Fig. 1 . The Configuration OCLP of Example 3.1 



Example 3.1. The decision problem from the introduction (Example 1.1) can easily be 
written as an OCLP, as shown in Figure 1. The rules in components Pi, P 2 and P 3 
express the preferences in case of a small budget. The rules in P 4 express the intention 
to buy/configure a laptop and, because of this, a decision about its various devices should 
be made. In component P 5 , the first rule states the possibility of a larger budget. If so, 
the two remaining rules allow the purchase of both a DVD-player and a CD-writer. 



Definition 3.2. Let P be an OCLP. We use P* to denote the CLP that contains all the 
rules appearing in ( a component of) P. We assume that rules in P* are labelled by the 
component from which they originate and we use c(r) to denote the component 5 of r. 
The Herbrand base Bp of P is defined by Bp = Bp*. 

An interpretation for P is any interpretation ofP*. We say that a rule r in P is applicable 
w. r. t. an interpretation I iffB r C I; r is applied w.r.t. I iffr is applicable and \ H r IT I\ = 
1 . 



Example 3.2. For the OCLP in Example 3.1, the sets I = {dvd .player, small}, J = 
{laptop, cd-writer , small} , K = {laptop , dvd -player , small} and L = {dvd -player , 
larger ,cd -writer , cd -player , laptop} are all interpretations. The interpretation I makes 
the rule small ® larger 3— applied while the applicable rule cd-writer 3— is not 
applied. 

Facing a decision means making an exclusive choice between the various alternatives 
which are available. If we want OCLP to model/solve decision problems we need a 
mechanism for representing them. In a CLP, decisions are generated by so-called choice 
rules i.e. rules with multiple head atoms. For OCLP, we can do something similar as 
long as we also take the preference order into account. We want to make sure that we 
leave the option open to overrule the exclusiveness of a choice when in more preferred 
components multiple alternatives are suggested (e.g. Example 1.1). Hence we say that 
an atom a is an alternative for an atom & in a component C if an applicable rule exists 
in a component at least as preferred as C containing both a and h in its head. 

5 Without losing generality, we can assume that a rule appears in only one component. 
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Definition 3.3. Let I be an interpretation of an OCLP P = (C, a) with C € C. The 
set of alternatives in C for an atom a £ Bp w.r.t. /, denoted Hq(o), is defined as 6 : 
T^c(a) = {b\3r £ P* ■ c(r)=fC A B r C / A a, b £ H r with a b} . 



Example 3.3. Reconsider Example 3.2. The alternatives for cd-rom in P 2 w.r.t. J are 
flp 2 {cd.rom) = {dvd.player, cd -writer}. W.r.t. I, we obtain f2p 2 (cdjrom) = 0, 
since the choice rule in P 4 is not applicable. When we take P 5 instead of If, we obtain 
w.r.t. J: 17 p 5 (cd-rom) = 0. 

Given the alternatives in a certain context (a component and an interpretation), one 
naturally selects that alternative that is motivated by a more preferred rule, thus defeating 
the rule(s) suggesting less preferred alternatives. However, if alternatives appear in the 
same or unrelated components, two approaches are possible: using a skeptical strategy, 
one would refrain from making a decision, i.e. not selecting any of the various alterna- 
tives, while a credulous setting suggests an arbitrary choice of one of the alternatives. For 
both types of reasoning one can think of situations where one approach works while the 
other gives an incorrect, unintuitive outcome. Skeptical reasoning is practiced in Amer- 
ican law when a jury cannot come to a unanimous decision. An example of credulous 
reasoning is the decision a goal-keeper faces in football when trying to stop a penalty. 
To accommodate this problem, we introduce a semantics for both types of reasoning. 
From a skeptical viewpoint, we say that rule is defeated if one can find a better, more 
preferred alternative for each of its head atoms. 

Definition 3.4. Let I be an interpretation for an OCLP P. A rule r £ P* is defeated 
w.r.t. I iff\! a £ H r ■ 3 r' £ P* ■ c(r')Ac(r) A Bp CIA Hp C L2^(a) . 



Example 3.4. Reconsider Example 3.2. The rule cd-rom A- is defeated w.r.t. J by the 
rule cd-writer A- . The rule cd-rom ® cd-writer ® dvdjplayer A- is defeated w.r.t. 
L by the combination of the rules dvdjplayer A- larger and cd-writer A- larger. 



Example 3.5. Consider the OCLP ({Pi = {a t— ; 6 t— }, P 2 = {a ® b A- }}, P 2 aPi). 
Given the interpretation {6}, the rule r : a A- is not defeated. The atom a has one alter- 
native, i.e. b, thanks to the applicable choice rule in component P 2 . However, examining 
the more preferred components of c(r) = Pi, we cannot find any rule having b in the 
head. 

Just as for the skeptical semantics we need to define an appropriate defeating strategy 
for our credulous approach. An obvious way of doing so consists of simply dropping 
the condition that an alternative should be found in a more preferred component. Un- 
fortunately, this leads to unintuitive results. To avoid this, we need to make sure that 
credulous defeaters are not only applicable, but also applied. 

Definition 3.5. Let I be an interpretation for an OCLP P. A rule r £ P* is c-defeated 
w.r.t. I iff\/ a £ H r ■ 3 r' £ P* ■ c(r) -f c{r') A r' is applied w.r.t. I A Hp C 17^ (a) ■ 

6 A is the reflexive closure of A. 
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Note that this definition allows the rales r' to come from a more preferred, the same 
or unrelated component. At first sight one might think that a situation could occur where 
r = r' . However, this is impossible as an atom can never be considered an alternative 
of itself. 

Example 3.6. While the skeptical approach makes it impossible to have the rule a <— 
in Example 3.5 defeated w.r.t. {&}, the credulous semantics can. 

For our model semantics, both skeptical as credulous, rales that are not satisfied (as 
for choice logic programs) must be (c-)defeated. 

Definition 3.6. Let P be an OCLP. A total interpretation I is a skeptical/credulous 
model iff every rule in P* is either not applicable, applied or (c-)defeated w.r.t. I. A 
skeptical/credulous model M is minimal iff M is minimal according to set inclusion, 
i.e. no skeptical/credulous model N of P exists such that N C M. 

Example 3.7. Reconsider the interpretations I, J, K and L from Example 3.2. Only 
K and L are skeptical/credulous models. Model L is not minimal due to the skepti- 
cal/credulous model Z = {dvd .player ,cd .writer , laptop , larger} . The minimal skep- 
tical/credulous models K and Z correspond to the intuitive outcomes of the problem. 

Example 3.8. The program of Example 3.5 has no skeptical models but two credulous 
ones: {a}, { 6 }. 

The next example illustrates that the skeptical/credulous model semantics does not 
always provide the appropriate solutions to the decision problem at hand. 

Example 3.9. Consider the ordered choice logic program P = ({Pi = {a •< — }, P 2 = 
{b -t— },P 3 = {a ©6 <— c}, P 3 A P 2 A Pi), where P has two minimal skeptical/credulous 
models: M = {b, c}, and N = {a, b}. Clearly, c is an unsupported assumption in M, 
causing P 3 to trigger an unwarranted choice between a and b. 

We introduce an adaptation of the Gelfond-Lifschitz [23] and reduct ([25]) trans- 
formations to filter unintended (minimal) models containing unsupported atoms. This 
results in the skeptical/credulous answer set semantics. 

Definition 3.7. Let M be a total interpretation for an OCLP P. The Gelfond-Lifschitz 
transformation (resp. reduct ) for P w.r.t. M, denoted P M (resp. P r M ), is the CLP 
obtained from P* by removing all (c-)defeated rules. M is called a skeptical (resp. 
credulous ) answer set for P iff M is a minimal model 1 for P M (resp. P ( M ). 

Although both answer set semantics produce models (skeptical or credulous ones) for 
the program, they differ in whether they produce minimal ones or not. Just as for answer 
sets of semi-negative logic programs, we find that skeptical answer sets are minimal 
skeptical models. For extended disjunctive logic programs, the answer set semantics is 
not minimal[25]. The same applies for credulous answer sets of ordered choice logic 
programs, as demonstrated by the following example. 

7 The definition in [16] states a stable model, but since both are identical for CLP, we have opted 
in this paper to use minimal model instead. 
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Example 3 . 10 . Consider the program P = ({Pi = {r i : g •<— }, P2 = {r 2 : p(B d t— ; r 3 : 
g ® p £- ; r4 : g ® d -s— }}, P 2 APi). Consider A^ = {g} and M 2 = {3, d}. Clearly, 
Af-j 4 ’ C while both interpretations are credulous answer sets for P. For Mi, we 
have that P f Ml = {<7 ; g © d ; g © p •<— }for which it can easily be verified that 

M\ is a minimal model. The program P C M2 = {p® d ■£- ; <7 © p t— } has two minimal 
models: {p} and {g, d}. Note that Af 2 is a credulous model because the c-defeater has 
become c-defeated, i.e. the justification in M\ for c-defeating p © d ■£- has disappeared 
in Af 2 . 



Non-minimal credulous answer sets appear when the program contains inconsistencies 
on a decision level: in the above example the following choices have to be made: { p , d}, 
{g,p} and [g, d } . Because of the program’s construction, one can choose either one or 
two alternatives and c-defeating will make the choice justifiable. 



4 Implementation 

For the last five years, answer set programming has gained popularity. One of the main 
forces behind this is the growing efficiency of answer solvers like smodels ([20]) and 
dlv ([26]). 

In this section, we propose a mapping, for both semantics, to semi-negative logic 
programs. Since both answer set solvers support this type of programs, this would allow 
us to implement an OCLP front-end for them. In this section we will present an initial 
implementation designed to work on top of smodels. So far our efforts have been re- 
stricted to the grounded case, in the last part of this section we extend our approach to 
non-grounded programs. 

The skeptical answer set semantics is based on the notion of defeat. If we want to 
map our formalism to a language which does not support this, we need a way to encode 
it. This implies anticipating which combinations of rules could be capable of defeating 
a rule and which ones are not. 

The definition of defeating relies strongly on the notion of alternatives: rules can only 
be defeated by rules containing alternatives of the head atoms. Therefore, anticipating 
defeaters also implies predicting alternatives. According to Definition 3.3, b is an alter- 
native of a in a component C if one can find an applicable choice rule as preferred as C 
containing both a and b in the head. This implies that even without an interpretation we 
can find out which atoms might be or could become alternatives; it only remains to be 
checked if the rule is applicable or not. These condition-based alternatives are referred 
to as possible future alternatives and are defined more formally below. 

Definition 4.1. Let P be an OCLP, C £ C be component of P and a £ Bp. 
The set of possible future alternatives of a in C, denoted as Aq(cl), is defined as 
Apfa) = {(b, B r ) \ 3 r £ P ■ c(r)=^C, a,b £ H r , a ^ b}. 

Example 4 . 1 . Consider the OCLP P = ({Pi = {j*i : a t— ; r 2 : / t— },P 2 = {r3 : 
a®6©c ■<— d; r4 : a©c? /; r$ : d®c £- }, P 2 aPi}). The possible future alternatives 
of a in Pi equal Ap x (a) = {(&, {d}), (c, {d}), (d, {/})}. 
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It is easy to see that one can compute the possible future defeaters in one iteration 
of the program, making the process polynomial. 

The next theorem demonstrates that alternatives can be expressed in terms of possible 
future alternatives. 

Theorem 4.1. Let P be cm OCLP, C £ C be component of P, a £ Bp and I an 
interpretation for P . Then , L2q(o) = {b \ (b, S) £ A p (a) A SCI}. 

Having these possible future alternatives allows us to detect possible future defeaters 
in much the same way as we detect standard defeaters ( Definition 3.4). The only extra 
bit we need is to collect all the conditions on the alternatives. This collection then acts 
as the condition for the defeating rule. 

Definition 4.2. Let P be an OCLP, C £ C be component of P and a £ Bp. 
The set of possible future defeaters of a in C, denoted as Vj3,(a), is defined as 
V?(a) = {(r, S) \3r £ P ■ c(r)^C,Vb £ H r ■ ( b , B b ) £ A%{a),S = U 66ffr B b }. 
The set of possible future defeaters of a rule r £ P, denoted as T> p (r), is defined as 
V p [r) = \{R,S) | S = U a&Hr Sa such that (r a ,S a ) £ D p ^(a),r a £ R}. 

Having the possible future defeaters of an atom in a certain component, we can 
easily find that combination that can act as a possible future defeater of a rule in a 
certain component. We simply compute the set of possible future defeaters of each of 
the head atoms of this rule in this rule’s component. The set of all possible permutations 
of choosing an element from each of these sets give us the possible future defeaters of 
our rule. In other words, we obtain a number of possible future defeaters of a rule equal 
to the product of the sizes of the sets of possible future defeaters for each of its head 
elements. 

Example 4.2. When we look back to the program P of Example 4.1, we have that a 
has a one possible future defeater in P\ as: Dp (a) = {(t*s, {d, /})}. In the same 
component, we have that c has a future defeater D p ^(c) = {(r*, {d, /})}. All the 
other atoms in the program do not have any possible future defeaters in any of the 
relevant components. The rule n is the only rule with possible future defeaters, namely 

V p ( ri ) = {({r 5 },{dJ})}. 

Computing all possible defeaters of an atom can be done by one pass of the program. 
Therefore, computing possibly defeaters of all atoms can be done in polynomial time. 
The possible future defeaters of a rule can be obtained in polynomial time. By their con- 
struction, the number of possible future defeaters is polynomial with respect to number 
of atoms in the program. 

Clearly, possible future defeaters can be used for expressing interpretation-dependent 
defeaters. 

Proposition 4.1. Let P be an OCLP and let I be an interpretation for it. A rule r £ P* 
is defeated w.r.t. I iff3(R, S) £ D p (r ) -SCI, Bp C /, Mr’ £ R. 

These possible future defeaters are the key to mapping OCLPs to semi-negative 
logic programs. We are only required to turn the information which makes possible 
future defeaters into defeaters, i.e. they have to be applicable, into a condition. To make 
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this possible, we introduce for each non-constraint rale r in the program two new atoms: 
d r and a r . The former indicates that the rule r is defeated or not, while the truth value 
of the latter is an indicator of the applicability of the rule. 

Definition 4.3. Let P be an OCLP. Then, the logic program 8 P_, is defined as follows: 

1. \H r \ =0;re P-, 

2. \H r \ > 1: 

a) h 4— B, , —id r , ~^(H r \ {h}) £ P-,: \/h £ H r 

b) a r 4 — B r £ P-, 

c ) d r 4 — C £ P-, with C = S U U, 'efi <V such that (R, S) £ V p (r). 

d) £- h, g, B r ,^d r £ P-,: Mh, g £ H r ■ h ^ g 

Since constraints are not involved in the defeating process, we can simply copy them 
to the corresponding logic program. For the answer set semantics of ordered choice logic 
program, we need, among other things, that each applicable, undefeated rale admits 
exactly one head atom. Rules of type a) and d) make sure that the corresponding rules 
in the logic program do not violate this property. The rales of type b) indicate which 
original rales are applicable. The c)-rules are probably the most difficult ones. They 
express when a rule should or could be considered defeated. If we look at Theorem 4.1, 
we have a mechanism for relating possible future defeaters to actual defeaters. Given 
a possible future defeater ( II, S) for a rule r , we simply have to make sure that all 
rales in R are applicable and that all atoms in S are true with respect to the current 
interpretation. With rules of type b), we can express the former using a r . Combining all 
of this, we can signal in the transformed program that a rule is defeated or not using a 
rale d r ■£- a ri , , a rn , S with r, £ R and n = \ H r | . Whenever an answer set of the 
transformed program makes d r true, we know that the original rule r is defeated. The 
construction with rales of type b) makes sure that the reverse also holds. 

Example 4.3. The corresponding logic program P-, of the OCLP of Example 4. 1 looks 
like: 



CL i — 'dry 




of—/) 'dr 4 


a r2 £- 


£- d, —idr 3 , d, b 


f — ] dr 2 




d £- f, -<a, -<d ri 


Ctr 3 ^ — d 


<— d, —id r3 , d, C 


a £- d, ->b, 


—ic, —id r 3 


d ■£- —>C, —id r5 


Ur 4 £- f 


£- d, —id r3 , b, c 


b ■£- d, -i a, 


—<c, —id r 3 


C ■£- —id, —idr 5 


dr 5 £~ 


4 fj—id r4 ,d,d 


c 4 — d, -i a, 


—ib, —id r 3 


CL Vl i — 


dr i ^ d r5 , d, f 


4 'd r3 , d, C 



The original OCLP of Example 4. 1 has two skeptical answer sets, {/, d, b} and {/, c, a], 
which correspond exactly with the two answer sets, {a ri , a r2 , a r3 ,d ri , a r5 , d ri , /, d , b} 
and {a ri , a r2 , a ri , a r5 , /, c, a}, of P-,. 

Because the transformation is based on possible future defeaters, it is easy to see that 
the transformation can be constructed in polynomial time, leading to only a polynomial 
increase of rules. 

Theorem 4.2. Let P be an OCLP and P-, be its corresponding logic program. Then, a 
one-to-one mapping exists between the skeptical answer sets M of P and the answer 
sets N of P-, in such a way that N = M U {a r \ 3r £ P ■ \H r \ > 1, B r C M} U {d r \ 
3 r £ P ■ r is defeated w.r.t. M}. 



In this paper, we use -> to represent negation as failure. 
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4.1 Credulous Mapping 

To obtain the credulous answer set semantics for OCLPs, we propose a similar mapping 
to semi-negative logic programs. The only difference between the skeptical and the 
credulous semantics is the way they both handle defeat. For the credulous version, we 
need to make sure that we look for c-defeaters in all components which are not less 
preferred as the rule we wish to defeat. Furthermore, we have to make sure that c- 
defeaters are applied and not just applicable as is the case for defeaters. The former will 
be encoded by means of possible future c-defeaters while the latter will be translated in 
a different style of a r rules in the mapping. 

The definition of possible future c-defeater is identical to the one of its skeptical 
counter-part except that it looks for rules in all components which are not less preferred. 



Definition 4.4. Let P be an OCLP, C G C be component of P and a G Bp. 
The set of possible future c-defeaters of a in C, denoted as T p (a), is defined as 
pP(a) = {(r,S) | 3r € P ■ C -f c(r),V6 G H r ■ (b,B b ) G A£(a),S = [jB b }. The 
set of possible future c-defeaters of a rule r G P. denoted as T 1 ’ (r), is defined as 
P P (r) = {(P, S) \ S = UaG.Hr S “ SUch t,Wt ( r “> S °) € ^c{r)( a )pa G R} . 

Just as their sceptical counterparts, possible future c-defeaters can be obtained in 
polynomial time. Their number is also polynomial w.r.t. the number of atoms in the 
program. 

Just as before, c-defeaters can be expressed in terms of possible future c-defeaters. 

Theorem 4.3. Let P be an OCLP and let I be an interpretation for it. A rule r G P* is 
c-defeated w.r.t. I ijf3(R , S) G P^ r ) ( a ) ' ^ r ' applied w.r.t. I, Mr' G R. 



Definition 4.5. Let P be an OCLP. Then, the logic program PL is defined as follows: 

1. \H r \ = 0: r G P= 

2. \H r \ > 1: 

a) h t— B r , -i d r , ~^{H r \ {/i}) G PL,: Mh G H r 

b) a r t— B r , h, -i(H r \ {ft.}) G Pf: Ma G H r 

c) d r i — C € PL, with C = S U Ur'efl a r' with ( R , S) G P p (r). 

The credulous mapping is very similar to the skeptical one but there are a couple of 
subtle differences: an obvious difference is the use of possible future c-defeater instead 
of their skeptical counterparts (c-rules). The second change are the rules implying a r 
(b-rules). Previously they were used to indicate applicability, the necessary condition 
for the defeat. Since c-defeat works with applied defeaters, we need to make sure that 
a r is considered only true when r is applied. The less obvious change is the absence of 
the rules of type d). Since a rule can only be applied when one and only one head atom 
is considered true and because a r should only be considered true in this particular case, 
they no longer necessary. 

This transformation can also be performed in polynomial time and results in a poly- 
nomial increase of rules. 
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Example 4.4. Reconsider the OCLP from Example 3.10. If we use the mapping from 
Definition 4.5, we obtain the following program: 



g ->di 
p <— ~>d, ~>d 2 
d <r~ ijo, ~<d 2 
g <- ->p, -id 3 
P -i- ->g, —'ds 
g <r- —>d, —>di 
d 4— —i g, — io?4 



<- g 

a 2 P, ~^d 
a 2 <- d, -• p 
«- g, ~>P 
«3 «- p, ~>g 
o 4 -i- g, ~>d 
o 4 -1- d, —*g 



d\ i — a 2 
d 2 ■*— 03 , a 4 

C?3 -1— 02, a 4 
(i 4 02, 03 



The answer sets of this program correspond perfectly to the credulous answer sets 
of the original program. The newly introduced atoms make sure that the answer set 
semantics remains minimal while the credulous OCLP version is clearly not. 



Theorem 4.4. Let P be an OCLP and P-, be its corresponding logic program. Then, a 
one-to-one mapping exists between the credulous answer sets M of P and the answer 
sets N ofP-, in such away that N = MU{a r \ 3 r £ P-\H r \ > l,B r C M, \H r nM\ = 
1} U {d, | 3r € P ■ r is c-defeated w.r.t. M} . 

4.2 Using Answer Set Solvers 

The transformations presented above give us the theoretical certainty that OCLP can be 
implemented on top of answer set solvers like Smodels ([20]), and dlv ([26]). 

However, no attempt is made to make the mappings efficient, apart from assuring 
that they can be done in polynomial time. When actually implementing the system, we 
should take efficiency, both time as space wise, into account. New atoms and rules should 
only be created when necessary. 

For example, if one of the head atoms of a rule does not have any alternatives relative 
to the component of the rule, there is hardly any point of mentioning d r , as no rule will 
be generated anyway. The same applies for the a r rules: if a rule does not stand the 
chance to be a (c-)defeater, then there is no point in defining it. Theoretically speaking, 
there is no need to introduce the atoms a r . One can easily incorporate the bodies into 
the rules describing the defeating conditions. Unfortunately, this makes the mapping 
harder to read and would, in the credulous case, create more rules of type d). For each 
defeater, one has to create rules to accommodate all the various ways this rule can be 
made applied. By using a r , one only needs to do this once, while without it one has 
to do this over and over again. For larger and more complex programs this can cause 
a serious overhead. In algorithmic form of the mappings, it would be best to start with 
generating the c)-rules. By doing so, one can immediate tell which a r rules are necessary 
and whether notd r should be included in the corresponding rule or not. 

An other time/space saving point is the effective usage of the various constructs 
provided by the answer set solver at hand. The disjunctive rules used by dlv can help us 
to reduce the number of rules, by simply replacing the a)-rules with a single disjunctive 
rule. Unfortunately, this measure does not eliminate the need for the constraints, assuring 
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C 01 O a. 



(702 Q a © b <- d 



C 03 



C 04 



c © d 



Fig. 2. The OCT program of Example 4.6 



that each applicable rule is made applied by a single true head atom. Smodels on the other 
hand provides us with a mechanism of writing all shifted rules and the corresponding 
constraints as a single rule using their special choice construct. 

Example 4.5. Reconsider the OCLP mentioned in Example 4.1. If we only take into 
account the special construct provided my smodels, we obtain the following program: 



a : - not 


drl . 


ar2 . 




f : - not 


dr2 . 


ar3 


l{a,b,c}l 


l{a,b,c}l 


d, not dr3. 


ar4 


l{a,d}l. 


l{a,d}l : 


- f , not dr4 . 


ar5 


l{d,c}l. 


l{d,c>l : 


- not dr5 . 


drl 


ar5, d, f 



arl . 

By taken all the other rule and atom saving measures into account, we obtain: 

a not drl. l{d,c)-l 

f. ar5 l{d,c}l. 

l{a,b,c}l d. drl ar5, d, f. 

l{a,d}l f 

4.3 Implementation an OCLP Front-End to Smodels 

To demonstrate the theoretical mapping and to serve as a basis for future experiments and 
research a simple language was developed to allow OCLP to be processed by computer. 
A compiler 9 was created to parse the input language and interface into the Smodels([20]) 
API which was then used to compute the answer sets. The compiler OCT is available un- 
der the GPL (“open source”) from http : //www . cs . bath . ac . uk/$\sim$mdv/oct/. 

Example 4.6. The OCLP from Figure 2 can be very easily written as an input file for 
the oct-compiler: 

9 Here compiler is used in the broader sense of an automated computer language translation 
system rather than traditional procedural to machine code system. 
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component cOl { a. } 
component c02 { a + b d. } 
component c03 { b . } 
component c04 { d + c . } 
c04 < c03 < c02 < cOl 

Definitions 10 and 12 give us a theoretical basis for a program to convert OCLPs in 
semi-negative logic programs but a few changes and optimisations are necessary before 
we have an effective algorithm for converting and solving OCLPs. All optimisations 
available in oct are based on the information obtained from the mapping and none use 
any special constructs provided by Smodels. This allows for the usage of OCT on top 
of any other answer set solver. Two types of optimisations are provided: intra-transform 
and inter-transform. The former are carried out during the transformation of OCLP to 
LP on a one rule basis, the latter are recursively applied between rules after the initial 
mapping. More information on the various information techniques can be found in [5]. 

Example 4. 7. If we reconsider the OCLP from Example 4.6, OCT without optimisations 
provides us with the following semi-negative logic program: 

oclp_a_0 . 

a : - not oclp_d_0 . 
oclp_d_0 d , oclp_a_2 . 

oclp_a_l d . 

a not oclp_d_l , not b , d . 

not oclp_d_l , a , b , d . 
b not oclp_d_l , not a , d . 

oclp_a_2 . 

b not oclp_d_2 . 

oclp_a_3 . 

d not oclp_d_3 , not c . 

: - not oclp_d_3 , d , c . 
c not oclp_d_3 , not d . 

When we allow for optimisations, we obtain a much smaller and compacter program: 

a : - not d . 

: - a , d . 
b . 

d : - not c . 

: - d , c . 
c : - not d . 



0 

1 

2 

3 
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Pi o “( z ) 



b(Y) <- e(Y) 



P 3 U a(X) © b(X) © c(X) <- d(X) 



c(t ) < 
e(s) ■ 
d(t ) < 
d(s) ■ 



Fig. 3. The non-grounded OCLP of Example 5.1 



5 The Non-grounded Case 



So far we have always assumed that all our programs were fully grounded, i.e. all rules 
have been replaced by their ground instances obtained from substituting all variables 
with constants appearing in the program. This process of grounding has no influence on 
the semantics of our programs. Using variables makes the program more compact and 
readable. All our definitions and theorems remain valid in the presence of variables and a 
countable Herbrand Universe. However, writing them down in a reader-friendly manner 
becomes more complicated since at various stages variables have to be renamed to avoid 
confusion and/or incorrect grounding in future stages. Furthermore, the atoms a r and 
d r need to be equipped with variables to make sure that only particular groundings are 
considered for applicability and (c-)defeat. 

Let us demonstrate our approach with an example. 

Example 5.1. Consider the non-grounded OCLP in Figure 3. Clearly in this example, 
a(X), b{Y) and c(Z) can only be alternatives if d(X) is true for some X and if they 
all have the same substitution. This will be taken into account when obtaining possible 
future alternatives and possible future (c-)defeaters. This is also reflected in the variables 
we add to a r and d r . For our program, we obtain: 

a(Z) ~>d ri (Z) 
b(Y) 4- ~^d r2 (Z) 

a{X) d{X),^d r3 {X),^b{X),-nc{X) 
b(X) 4- d(X),^d r3 (X),^a(X),^c(X) 
c(X) <- d(X),nd r Jx),^a(X),^b(X) 
c(t ) —>d r 4 

e(s) <— ~^d r5 

d(t) i — i d rf . 

i i d r 7 

a ri <— 

a r 2 (Y) -s— e(Y) 



a r3 (X) 4- 
a ri 4— 
a r 5 V- 

(*r 6 
Ci r7 i 

d ri (Z) 4 d(Z),a^r 2 )(Z) 
d r i (f) 4- d(t) 
dr 2 (t) 4 d(t) 

4- a(X), b(X ) , -.d r3 (X) , d(X) 
4- a(X) , c(X ) , ~'d r3 (X) , d(X) 
4- b(X),c(X),^d r3 (X),d(X) 
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6 Complexity 

In this section we investigate the complexity and expressive power of our system. We 
assume that the reader is familiar with the basic notions and definitions in this area. For 
a succinct but detailed overview we refer to [4]. 

In [16], it was shown that ordered choice logic programming is capable of represent- 
ing extended generalised logic programs (EGLP) 10 while maintaining the answer set 
semantics as the skeptical answer semantics of the corresponding OCLP. One can prove 
that the same applies for the credulous answer set semantics, using the same transfor- 
mation. For EGLP it can be shown that classical negation can easily be removed with 
the use of a single pre -processor. Therefore, we will assume that all programs are free 
of classical negation. 

Definition 6 . 1 . Let P be an EGLP without classical negation.. The corresponding OCLP 
is defined by ({C, R, N}, C^R^N) with 

N = {not 0 3- | a £ Bp} , 

R = {a <— B, note £ R \ r : a 3— B, -> C £ P} U 

{not a 3— B , note £ R \ r : ~<a <— B, ->C £ P} U 
{ <— B, note £ R | r : 3— B, ->C £ P} , 

C = {a ® not a •<— a | a £ Bp} , 

where, for a £ Bp, not a is afresh atom 11 representing —>a. 

Intuitively, the choice rules in C force a choice between a and -i a while the rules in 
N encode “negation by default”. 

Theorem 6 . 1 . Let P be an EGLP without classical negation Then, M C Bp is an 
answer set of P iff S is a skeptical/credulous answer set of Bp with S = M Unot(g p \ M j. 

Combining this result with the transformations from the previous section, we obtain a 
mechanism to go, at any time, from a logic program to an ordered choice logic programs 
and back without changing the semantics of our programs. All three mappings involved 
in this process can be executed in polynomial time, which implies that semi-negative 
and ordered choice logic programming have the same complexity and expressive power 
as far as their (skeptical/credulous) answer set semantics is concerned. A good overview 
of complexity and expressive power of logic programming can be found in [14], 

Theorem 6 . 2 . Let P be an ordered choice logic program: 

- Checking if an interpretation M is a skeptical/credulous answer set of P is P- 
complete. 

- Deciding if P has a skeptical/credulous answer set is NP-complete. 

10 Extended generalised logic programs allow both types of negation (classical and as failure) to 
appear both in the head and body of a rule, negation as failure in the head of rule. See [25] for 
more information details. 

11 For a set A' £ Bp, notx = {not a | a € A'}. 
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- Ordered choice logic programming under the skeptical/credulous answer set se- 
mantics is co-NP-complete. 

- If we allow function symbols with non-zero arity, the complexity of O CLP becomes: 
IT] -complete. 

- Full OCLP under the skeptical/credulous semantics expresses or captures II]. 

7 Relationship to Other Approaches 



Various logic (programming) formalisms have been introduced to deal with the notions 
of preference, order and updates. Ordered choice logic programming uses the intuition of 
defeating from ordered logic programming (OLP) [22,24] to select the most favourable 
alternative of a decision. In fact, every ordered logic program can be transformed into a 
OCLP such that the answer set semantics reflects the credulous semantics of the OCLP. 

Dynamic preference in extended logic programs was introduced in [8] in order to 
obtain a better suited well-founded semantics. Although preferences are called dynamic 
they are not dynamic in our sense. Instead of defining a preference relation on subsets of 
rules, preferences are incorporated as rules in the program. Moreover, a stability criterion 
may come into play to overrule preference information. Another important difference 
with our approach is the notion of alternatives, as the corresponding notion in [8] is 
statically defined. 

A totally different approach is proposed in [28]. where preferences are defined be- 
tween atoms. Given these preferences, one can combine them to obtain preferences for 
sets of atoms. Defining models in the usual way, the preferences are then used to filter 
out the less preferred models. 

[11] proposes disjunctive ordered logic programs which are similar to ordered logic 
programs [22] where disjunctive rules are permitted. In [10], preference in extended 
disjunctive logic programming is considered. As far as overriding is concerned the tech- 
nique corresponds to a skeptical version of the OCLP semantics ([16]), but alternatives 
are fixed as an atom and its (classical) negation. 

To reason about updates of generalised logic programs, extended logic programs 
without classical negation, [2] introduces dynamic logic programs. A stable model of 
such a dynamic logic program is a stable model of the generalised program obtained by 
removing the rejected rules. The definition of a rejected rule corresponds to our definition 
of a defeated rule when a and —a are considered alternatives. It was shown in [2], that 
the stable model semantics and the answer set semantics coincide for generalised logic 
programs. In Theorem 6.1 we have demonstrated that extended logic programs without 
classical negation can be represented as ordered choice logic programs such that the 
answer set semantics of the extended logic program can be obtained as the answer set 
semantics of the OCLP. Because rejecting rules corresponds to defeating rules, it is not 
hard to see that, with some minor changes. Definition 6.1 can be used to retrieve the 
stable models of the dynamic logic program as the stable models of the corresponding 
OCLP. The only things we need to do are to replace the component R by the P,s of the 
dynamic logic program ©{Pi : i £ S'}, replace every occurrence of ->a by not a and 
add a © not 0 •<— not a to C for each a £ Bp. 
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A similar system is proposed in [19], where sequences are based on extended logic 
programs, and defeat is restricted to rules with opposing heads. The semantics is obtained 
by mapping to a single extended logic program containing expanded rules such that 
defeated rules become blocked in the interpretation of the “flattened” program. 

A slightly different version of Definition 6. 1 can be used to map the sequences of 
programs of [19] to OCLPs. 

In [3], preferences are added to the dynamic logic program formalism of [2]. These 
are used to select the most preferred stable models. [29] also proposes a formalism that 
uses the order among rules to induce an order on answer sets for inconsistent programs, 
making it unclear on how to represent decisions. Along the same line, [18] proposes 
logic programs with compiled preferences, where preferences may appear in any part of 
the rules. For the semantics, [18] maps the program to an extended logic program. 

[6,9,7] use yet an other approach. They define preferences between the head atoms 
of a disjunction. The first head atom is more preferred than the second which is more 
preferred that the third, etc. So in a sense one can say that these atoms become alternatives. 
In our approach we define the preferences between the alternatives in separate rules which 
each conditions of their own. To our opinion this allows for a greater sense of freedom 
for the programmer. Furthermore, in our system, it is very easy to adapt to changes 
over time, as decisions can be overruled or defeated. However, one thing has definitely 
to be said for their approach, they can represent problems in Zif while our approach 
is restricted to JETf. This higher order of complexity is achieved by allowing multiple 
alternatives to be decided upon without overruling the decision. 



8 Conclusions and Directions for Future Research 

In this paper we proposed a mechanism for transforming ordered choice logic programs 
to semi-negative logic program while preserving, depending on the transformation, the 
skeptical or credulous answer set semantics. We examined the possible ways in which 
the proposed theoretical mappings could be made more efficient, when used on top of 
an answer set solver. On the more theoretical side, these transformations allowed us to 
study the complexity and the expressiveness of our formalism. 

Previously, OCLP was used to describe and to reason about game theory ([16,17]). It 
was shown that OCLP is an elegant and intuitive mechanism for representing extensive 
games with perfect information. The Nash and subgame perfect equilibria can easily be 
obtained as the credulous answer sets of the corresponding programs. To this extent, we 
used a special class of OCLPs. Combining these special characteristics with the mapping 
of OCLP to logic programs, we can create a game-theory tailored front-end to answer 
set solvers. 

In [17], we proposed a multi-agent system where the knowledge and beliefs of the 
agents is modelled by an OCLP. The agents communicate with each other by sending 
skeptical/credulous answer sets. The notion of evolutionary fixpoint shows how the var- 
ious agents reason in order to come to their final conclusions. Having an implementation 
for OCLP would allow us to implement multi-agent systems and experiment with them 
in various domains. One possibility would be incorporating this technology into Carel 
([30]), a multi-agent system for organ and tissue exchange. 




76 



M. De Vos 



In the same domain of multi-agent systems it would be interesting to find out if, with 
this technique, we could include preferences in the DALI-system ([13]). Future research 
will also focus on using OCLP as a tool in multi-agent institutions [27] to enforce norms 
and regulations [21] between participating agents. 
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Abstract. The skyline clause — also called the Pareto clause — recently 
has been proposed as an extension to SQL. It selects the tuples that are 
Pareto optimal with respect to a set of designated skyline attributes. This 
is the maximal vector problem in a relational context, but it represents 
a powerful extension to SQL which allows for the natural expression of 
on-line analytic processing (OLAP) queries and preferences in queries. 
Cardinality estimation of skyline sets is the focus in this work. A bet- 
ter understanding of skyline cardinality — and other properties of the 
skyline — is useful for better design of skyline algorithms, is necessary to 
extend a query optimizer’s cost model to accommodate skyline queries, 
and helps to understand better how to use skyline effectively for OLAP 
and preference queries. 

Within a basic model with assumptions of sparseness of values on at- 
tributes’ domains and statistical independence across attributes, we es- 
tablish the expected skyline cardinality for skyline queries. While asymp- 
totic bounds have been previously established, they are not widely known 
nor applied in skyline work. We show concrete estimates, as would be 
needed in a cost model, and consider the nature of the distribution of 
skyline. We next establish the effects on skyline cardinality as the con- 
straints on our basic model are relaxed. Some of the results are quite 
counter-intuitive, and understanding these is critical to skyline’s use in 
OLAP and preference queries. We consider when attributes’ values re- 
peat on their domains, and show the number of skyline is diminished. 
We consider the effects of having Ziphan distributions on the attributes’ 
domains, and generalize the expectation for other distributions. Last, we 
consider the ramifications of correlation across the attributes. 



1 Introduction 

To query relational data to find a best match, the aggregation operators min and 
max allow one to retrieve the best — that is, either lowest or highest valued — 
tuples with respect to a single criterion. The order by clause in SQL allows one 
to rank order the results, perhaps with respect to many criteria . 1 Beyond this, 
relational query languages as SQL provide little else for finding best matches, or 
for expressing preferences as part of one’s queries. 

1 The rank ordering will be equivalent to a nested sort over the indicated attributes’ 
values. 
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Consider a table of restaurant guide information, as in Figure 1(a). Column 
S stands for service, F for food, and D for decor. Each is scored from 1 to 30, 
with 30 as the best. 2 We are interested in choosing a restaurant from the guide, 
and are looking for a best choice, or a set of best choices from which to choose. 
Ideally, we would like the restaurant chosen to be the best for service, food, and 
decor, and be the lowest priced. There is likely no restaurant that is better than 
all others on all criteria, however. 3 No one restaurant trumps all others. For 
instance, Summer Moon is best on food, but Zakopane is best on service. 



restaurant 


S 


F 


D 


price 


Summer Moon 


21 


25 


19 


47.50 


Zakopane 


24 


20 


21 


56.00 


Brearton Grill 


15 


18 


20 


62.00 


Yamanote 


22 


22 


17 


51.50 


Fenton & Pickle 


16 


14 


10 


17.50 


Briar Patch BBQ 


14 


13 


3 


22.50 



(a) Restaurant guide table, Good Eats. 



restaurant 


S 


F 


D 


price 


Summer Moon 


21 


25 


19 


47.50 


Zakopane 


24 


20 


21 


56.00 


Yamanote 


22 


22 


17 


51.50 


Fenton & Pickle 


16 


14 


10 


17.50 



(b) The skyline. 



Fig. 1. The restaurant table and the skyline. 



While there is no one best restaurant, we can eliminate from consideration 
any restaurant that is worse on all the criteria than another. The Briar Patch 
BBQ should be eliminated because the Fenton & Pickle is better in compar- 
ison across all our criteria. The Brearton Grill is eliminated, in turn, because 
Zakopane is better than it on all criteria. If Zakopane were not in the table, 
the Brearton Grill would have remained a consideration. Meanwhile the Fenton 
& Pickle is worse on every criterion than every other (remaining) restaurant, 
except on price, where it is the best. So it stays in consideration. (If we were 
to remove price as one of our criteria, the Fenton & Pickle would be eliminated 
too.) This would result in the choices in Figure 1(b). 

In [2], an extension to SQL is proposed, the skyline of clause, which allows 
easy expression of the restaurant query we imagined above. They propose also 
the skyline operator as the relational algebraic counterpart of the clause, and pur- 
sue an implementation to support efficiently skyline queries within a relational 
environment. 

The skyline of clause is shown in Figure 2(a). It is syntactically similar to an 
order by clause. Columns a 1 , . . ., a„ are the attributes over which our preferences 
apply. Their domains must have a natural total ordering, such as integers, floats, 
and dates. The directives min and max specify whether we prefer low or high 
values, respectively. The directive diff states that one wants to retain best choices 

2 This table is modeled on the Zagat Survey Guides. For example, see [1]. 

3 This is certainly the case in real life, and in real data! 




80 



P. Godfrey 



select . . . from . . . where . . . 
group by . . . having . . . 
skyline of ai [min | max | diff], . . 
a„ [min | max | diff] 

(a) Skyline clause for SQL. 



select * from GoodEats 

skyline of S max, F max, 

D max, price min 

(b) Choosing restaurants. 



Fig. 2. Skyline queries. 



with respect to each distinct value of that attribute. Let min be the default 
directive, if none is stated. The skyline query in Figure 2(b) over the table 
GoodEats in Figure 1(a) expresses what we had in mind above for choosing 
“best” restaurants, and would result in the answer set in Figure 1(b). If the 
table GoodEats had a column C for cuisine, we could add C diff to the skyline of 
clause to find the best restaurants by each cuisine group. 



select Ci, . . ., c& , Si , . . ., Sm, di, . . ., 
from OurTable 
except 

select D.ci D.ct,, D.si, . . ., D.s m , 

D.di D.d„ 

from OurTable T, OurTable D 
where D.si> T.si and . . . D.s m > T.s m and 
(D.si> T.si or . . . D.s m > T.s m ) and 
D.di= T.di and . . . D.d n = T.d n 

Fig. 3. SQL for generating the skyline set. 



Skyline queries are not outside the expressive power of present SQL. The 
query in Figure 3 demonstrates one way to write an arbitrary skyline query in 
present SQL. The c, ’s are attributes of OurTable that we are interested to retain in 
our query, but that are not skyline criteria. The S; are the skyline attributes to be 
minimized, and would appear in skyline of as s,; min. (Without loss of generality, 
we only consider min and not max.) The d, are the attributes that are the skyline 
criteria to differ, and would appear in skyline of as s i diff. It is cumbersome to 
write skyline-like queries currently in SQL, however. The skyline clause would 
be a useful syntactic addition to SQL, therefore, if skyline-like queries were to 
become commonplace. More important than ease of expression, however, is the 
expense of evaluation. The query in Figure 3 can be prohibitively expensive. 
It involves a self-join over a table. This join is a 0-join, not an equality-join. 
It effectively computes the tuples that are trumped — or dominated — by other 
tuples. The tuples then that remain — that were never dominated — determined 
by the except operation, constitute the skyline tuples. 
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There has been a fair amount of recent work focused on how to compute 
efficiently skyline queries within relational systems for large datasets. In Section 
2, we discuss the related work. Skyline cardinality estimation is the focus of this 
work. A better understanding of skyline cardinality 

— is useful for better design of skyline algorithms, 

— is necessary to extend the query optimizer’s cost model to accommodate 
skyline queries, and 

— helps us to understand better how to use skyline effectively for preference 
queries. 

In Section 3, we present a basic model — with assumptions of sparseness over 
attributes’ domains (namely that there are virtually no duplicate values) and sta- 
tistical independence across attributes — and devise concrete estimates of skyline 
query cardinalities under the basic model. We consider next the distribution 
of the number of skyline. The expected value would not be of much utility if 
the distribution were not to be well behaved. We show through Monte Carlo 
simulations the nature of the distribution, and that it is well behaved. 

In Section 4, we consider the effects on the estimates and distributions as 
we relax the assumptions of the basic model, thus modeling better the char- 
acteristics of real data. We consider the effects of when attribute domains are 
restricted to small domains (allowing repeated values and ties), different distribu- 
tions over attribute domains (namely, Zipfian) , and pair-wise correlation between 
attributes. Under the basic model, the number of skyline tuples is independent 
of the distributions of the attributes’ domains. This is no longer necessarily true 
when attributes’ values are no longer sparse over their domains. When there 
are duplicate values over the attributes, the number of skyline tuples decreases. 
We show that the skyline estimates of the basic model are a ceiling for skyline 
cardinalities when the sparseness condition is violated. 4 

In Section 5, we discuss briefly some of the ramifications of our results for 
skyline algorithm design, cost models for the skyline operator, and the use of 
skyline in preference queries, and we conclude. We believe these studies can also 
offer general insights into queries over multi-dimensional criteria. 



2 Related Work 

The concept of skyline in itself is not new, of course. The search for optimal 
solutions is a well-established endeavor with an exceedingly deep literature. 
Beginning in the 1960’s, work focused on optimization with respect to multi- 
ple criteria. Techniques have been explored for finding good utility functions to 
combine effectively the multiple criteria of interest into a single score. Then tra- 
ditional mathematical techniques for finding the optimal solution — with respect 
to a single criterion, the utility function in this case — could then be applied. 
Others recognized though that for many applications it is often difficult — if not 
virtually impossible — to find a reasonable utility function. Thus work in multiple 

4 There is an exception case, to be discussed. 
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criteria optimization focused on how to find all optimal solutions in the space 
with respect to the multiple criteria [3]. The definition of solution in this con- 
text is often identical to our definition for skyline: no other potential solution is 
better across all the criteria. This is called Pareto optimal. 

The problem attracted attention early on within the mathematics and statis- 
tics communities, and within the computational geometry community, since the 
Pareto optimal points are a super-set of the points that delineate the convex 
hull of the entire set. How to compute the convex hull, and its size, is of central 
interest in linear optimization problems. Perhaps in [4] is the first work to study 
the distribution of admissible (Pareto optimal) points, and the expected value of 
their number. More recently in [5], the work of [4] is extended to show bounds 
on the variance of the number of admissible points. In [6], Golin considers the 
effects of the shape of the space to which the points are restricted, and how that 
shape changes the expected value of the number of admissible points. 

Multiple-criterion optimization usually assumes an implicit solution space 
from which the optimal solutions are to be found. Often, this space is quite 
large, but also has properties that help to devise good techniques. For skyline 
queries, the space is explicit: it is the input relation of vectors, or tuples. One 
does not know necessarily particular properties of the space. 

The skyline idea has been studied before in this context of an explicit solution 
space as the maximal vector problem. In [7], the first algorithm to find the max- 
imal vectors (or skyline tuples) from a set of vectors (or relation) was devised. 
In [8], the maximal vector problem is addressed in the context of computational 
geometry. In [9], they established that the average number of skyline tuples is 
0((lnn) d-1 ). 5 This is the cardinality bound most often cited and employed in 
skyline work. However, this is a loose upper-bound. In [10], it is established that 
0{(hin) d ~ 1 / {d — 1)!). There has been work also to establish theoretical com- 
plexity bounds for computing the maxima (the Pareto points) and those points 
on the convex hull [11,12]. This work does not lead directly to good algorithms 
in practice, however, for computing skyline queries. 

Interest has returned to the maximal vector problem recently indeed in the 
guise of skyline queries. Previous work was main-memory based though, and not 
well suited to databases. Progress has been made recently on how to compute 
efficiently such queries in a relational system and over large datasets [2,13,14, 
15,16]. In [2], the skyline operator is introduced. They posed two algorithms 
for it, a block-nested loops style algorithm (and variations) and a divide-and- 
conquer approach derived from work in [7,8]. In [14,15,16], algorithms for skyline 
evaluation that exploit indexes are developed. In [13], we developed a general 
skyline algorithm, based on the “block-nested loops” algorithm of [2], which is 
more efficient, pipelinable, and amenable to use in a relational query optimizer. 

A related topic is nearest-neighbor search. This has been studied in the con- 
text of relational systems too [17]. In [18], elements of a cost model for nearest- 
neighbor searches are considered, but just for high-dimensional cases. In [19], 

5 For this, they made essentially the same assumptions that we shall make in Definition 
3.1 about attributes’ distributions and independence. 
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a specialized index structure is developed to facilitate nearest-neighbor queries. 
In [14], they employ nearest-neiglrbors algorithms to pipeline the generation of 
skyline tuples. 

Interest in skyline queries arises in most part from the desire to support 
queries with preferences in relational systems. In [20], a more general operator 
called winnow is introduced for the purpose of expressing preference queries. 
Skyline is a special case of winnow. Skyline and related techniques could make it 
possible to integrate easily certain cooperative query answering , query relaxation , 
and preference query techniques which have been proposed [21,22,23,24]. In [25], 
a framework is presented for how to express and combine effectively preferences 
in queries. In [26], a system called PREFER is presented which is designed to 
handle multi-parametric ranked queries efficiently. In [27], a preference algebra 
is developed along with extensions to SQL for general preference queries. They 
call for a more efficient means to compute preference queries. In [28], a system 
that incorporates the preference SQL of [27] is presented. 

3 Pareto / Skyline Cardinality 

We want to estimate the cardinality of the output relation of the skyline operator 
based upon its input relation. The input can be a base table of the database or 
a virtual table which is the intermediate result in a query’s evaluation. Let us 
establish a basic model of assumptions about the input relation under which it 
is possible to establish analytically the cardinality. 

Definition 3.1. Basic model of the input relation and skyline query. 

Let dimension refer to an attribute of the relation that participates in the 
skyline criteria. 

a. Domain assumption (sparseness): For each dimension, we assume that there 

are no duplicate values on the attribute across the tuples of the relation. 

b. Independence assumption: The dimensions are statistically independent . 6 

Consider a skyline operation with d dimensions over such an input relation 

of n tuples. (So the relation has at least d attributes, which obey the assumptions 
above.) Let s d, n be the random variable which measures the number of tuples (the 
cardinality) of the output relation (that is, the set of the resulting skyline tuples). 
Let s d,n denote the expected value of Sd, n ■ 

We are interested to know s d, n - Under our basic model, no two input tuples 
share a value over any dimension. Thus, the tuples can be ordered totally on 
any given dimension. It is not necessary therefore to consider the actual values 
of the tuples. Instead, we can conceptually replace the value on, say, dimension 
i of a tuple by its rank in the total ordering along dimension i. Without loss 
of generality, let us assume that we are minimizing over the dimensions for the 
skyline. Let rank 1 refer to the tuple with the smallest value (on that dimension), 
and n the one with the largest (n is the number of input tuples) . We can now just 



That is, there are no pair-wise or group correlations nor anti-correlations. 
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refer to a tuple’s rank on a dimension and ignore the actual value. We provide 
the proof as it is illustrative for the following discussion. 

Theorem 3.1. [9] The skyline expected value s d, n for d > 1 and n > 0 obeys 
the following recurrence equation. 

_ 1 „ 

Sfl.n — $d—l,n T Sd,n—1 
n 



For n > 0, §].„ = 1. 

Proof. Considers i >n . Since no two tuples share the same value on the dimension, 
only the tuple with rank 1 is in the skyline. 

Consider Sd.m for d > 1. One tuple has rank n on dimension 1. This tuple 
cannot dominate any other tuple, since it has a higher value on dimension 1 
than any other. What is the probability that this tuple itself is a skyline tuple? It 
is the probability that no other tuple dominates it on dimensions 2 ,... ,d, given 
the independence assumption. As Sd-i,n is the expected value of the number of 
skyline tuples out of n tuples on d — 1 dimensions, then ^Sd-i, n represents the 
probability that this one tuple is part of the skyline. 

Since the n-th ranked tuple on dimension 1 cannot dominate any other tuple, 
the estimated number of skyline tuples of the remaining n— 1 is Sd, n -i- □ 

The recurrence for s d, n is related to the harmonic numbers. 



Definition 3.2. Harmonic numbers. 

n 1 

a. The harmonic of n, for n > 0: H„ = - 



i- 1 



b. [29] The fc-th order harmonic of n, for integers 
Hfc— i,?' 



H fc> „ = E 



i=l 



Define Ho, n = 1. for n > 0. Define H^ o = 0, for 
c. The fc-th lryper-harmonic of n, for integers k > 0 



i—1 



1 



k > 0 and integers n > 0: 



k > 0. 

and integers n > 0: Hk , n = 



A common two-parameter generalization of the harmonic series is that of the 
hyper-lrarmonics in Definition 3.2(c). The Hk,n converge for k > 1. A second 
two-parameter generalization is given in Definition 3.2(b), introduced in [29]. 
(What is effectively a generalization of the Hfc >n ’s appears in [30], in Section 
1.2.9.) The Hfe >n do not converge for k > 1. Rather, 1 < Y\k,n < n, for k > 0 and 
n > 0. Furthermore, 



n i\ id - 1 

Sd-\-l,n — H d,n 

i 1 —li 2 —l i d — l 



1 

i\i 2 ■ • -id 



Any particular Hfe ira can be solved in terms of TLj, n ’ s (1 < j < k). The H n 
and Hk, n are easy to compute, or approximate, and so could be used within a 
cost model on-the-fly. (Note that H„ = TLi }n .) For instance, we can derive that 
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- H 2 ,n — ,n, 

~ H 3 ,n = \ + |%3,n> 

— H4 ,n = J4H ^ + g^2,n 

This can be generalized as follows. 



and 

+ \H 2 n H 2 , n + \T~La ,n- 



Theorem 3.2. H kn = Y] TT t,n 

Z — / XX ? Ci . c 4 

^r> A i— 1 

ci,...,Cfe>0 A 



l-Ci+2.C2 + ... + fe-Cfe=fc 

with the Ci ’s as integers. 



for k > 1 and n > 1, 



Proof. TTiis follows from Knuth’s generalization via generating functions [30]. 

□ 

For any k , the coefficients of the terms in the summation sum to one. The 
number of terms to express H k n in terms of 'Hj <n ' s is p(k), the number of ways 
to partition the positive integer k as a sum of positive integers. Since p(k) grows 
quickly — for instance, p(10) = 42 and p(20) = 627 -it is not a viable to solve 
for Hfc^’s in this way. 



A 

B 




Fig. 4. Plot of s d,n (A) and Buchta’s (B). 



From this though, we can prove that Hfc in 
<9((lnn) fc /k\). In [10], Buchta established that 



Sfc+l,n — 



(In n) k 
k\ 



■ (In n) k ~ 1 

(k-iy. 



is 0(Y\ k n /k\), or equivalently, 
+ 0(lnn) k ~ 2 



and therefore that Sd, n is 0((ln n) d ~ 1 /(d — 1)!). We can use these as approxima- 
tions for s d, n - In Figure 4, we plot Buchta’s “approximation” (setting the multi- 
plicative constant at one and the additive constant at zero for the 0-term) and 
the actual values. H k n fk\ and Buchta’s underestimate H k , n , with Buchta’s 
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being marginally closer. Interestingly, while H^/fc! and Buchta’s are both mono- 
tonically increasing with respect to n, neither is with respect to k. So neither is 
a good concrete estimate for higher dimensions where the divergence becomes 
more significant. 

Of course, the H k, n can be numerically approximated off-line, and then a 
look-up table used at run-time. We computed for d = 2,..., 20 and 

n = 10, ... , 10 7 by factors of ten, as appears in Figure 4. As with logarithms, 
interpolation can be safely used to estimate values that are not in the look-up 
table. 

We have the expected value of skyline cardinality, s d,n (with respect to basic 
model in Definition 3.1), but we do not know the distribution of the random 
variable s d, n - If its variance were huge, for instance, our use of s d, n in a cost 
model for a query optimizer would be of limited utility. It would also be possible 
for the median to be less than the mean, with a long tail towards n. We are really 
interested in likely values the optimizer will encounter, not the expected value, 
per se, which itself as a value might never occur. In a cost model, it is important 
to anticipate the chance of being significantly off the estimation, especially in 
the case when the actual cardinality is exceedingly larger than the estimate. The 
query plan can be made to accommodate contingencies, to varying degrees. 

For the case of d = 2, it can be proven that the distribution tends to Gaussian 
by the Central Limit Theorem. (A proof is sketched in [4].) For d > 2, the 
nature of the distribution remains unknown [4]. There is speculation that the 
distributions for d > 2 also tend to Gaussian, and we present experimental 
support for this, but it remains unproven. 

It is possible to infer some properties of the distribution just given what we 
know of s d,n- The domain of s d,n is 1 ... n, of course. For d and n combinations 
that are likely for skyline queries in practice, s d, n is close to the 1-end of the 
spectrum. (See Figure 5(d).) This statistically limits how large the variance can 
be. (There cannot be much probability that s^ n is near n, since this would serve 
to inflate s d, n , as by Chebyclrev’s Inequality.) 

We study experimentally the distribution. We ran Monte Carlo simulations as 
follows. For each trial, we generated one million tuples of d attributes randomly. 
Each attribute was of type integer and its value was randomly chosen across 
all values. 7 The number of skyline tuples (minimizing over the d values) was 
then determined. A simulation then consisted of 10,000 trials. Figures 5(a), 
(b), and (c) show the distributions of the 10,000 trials for for d = 3, 

5, and 7, respectively. The data points were binned into about sixty bins in 
each case to approximate the distribution via a histogram. We normalize the 
y-axis to probability so the area covered by the histogram is one. In each case, 
the error-bar represents the mean and spans one standard deviation to the left 
and to the right of the mean. The super-imposed curve is a bezier fit of the 
data. The distributions of s d,n are well behaved and resemble normal (Gaussian) 
distributions. That the medians are so near the means in the simulations offers 
evidence that the true distributions have little if no skew. 

7 The values range over 1, . . ., 2,147,483,647. 
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Fig. 5. Distributions of s d 10 6. 



In [4] , they too are interested in the variance of the number of maxima. They 
establish that the variance of s d,n converges from above on the expected value, 
Sd.ru for any fixed d as n grows. However, this convergence must be extremely 
slow, as we see. Still, this is further proof that the variance is quite well behaved, 
and only becomes better behaved as n becomes larger. 

4 Generalizing the Basic Model 

We explore next the effects of relaxing the assumptions of our basic model from 
Definition 3.1. 

First, we consider the ramifications of relaxing the sparseness condition. Thus 
tuples may now match on values, and in the extreme, two tuples may be equiv- 
alent with respect to their skyline attributes. A tuple is skyline (under min cri- 
teria) if there is no other tuple that has a smaller or equal value on each skyline 
attribute and has, for some skyline attribute, a strictly smaller value. Therefore, 
there may be duplicates among the skyline. Such data “density” of course is 
characteristic of much real data. Denseness does affect skyline, but in a way 
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that is counter-intuitive to most. The primary effect is to reduce the number of 
skyline with respect to §d jn , the estimated value under the sparseness condition. 

So far, we have been unconcerned about the distributions of the tuples’ values 
over each skyline column. We observe that, under sparseness, the distributions 
are immaterial! 8 This is a remarkable characteristic of the skyline. However, 
under denseness, the distributions do have an effect. We consider Zipfian distri- 
butions on the columns and explain what happens. Again, the primary effect is 
either to reduce the number of skyline with respect to s d,m or not to affect it 
virtually at all. 

Last, we consider the effects of correlation and anti-correlation among the 
columns. We know a priori that correlation must be well behaved with respect 
to skyline cardinality, but that anti-correlation can move the skyline count to n 
(with all the tuples being in the skyline). Yet we find that skyline cardinality is 
fairly stable with s <C n, even in the presence of reasonably high anti-correlation. 

4.1 Sparseness versus Denseness 

Many attribute domains are small. For instance, a Boolean type only allows 
the values true and false. Furthermore, we are really interested in the range of 
values that occur over an attribute, rather than the domain, per se. For a given 
distribution of tuples, the values may cluster on just a few of the possible values. 
When we relax the sparseness assumption from Definition 3.1, it allows for tuples 
to share values. Furthermore, it allows for duplicate tuples (at least with respect 
to the skyline attributes). Since most real data is like this, we are interested in 
how this affects the skyline cardinality. 



1 11 ' — 

□ A □ B H A & B 

(a) Two tuples become comparable. 



4 II 

□ A □ B [1 A & B 



(b) Two tuples become identical. 



Fig. 6. Binning effects. 



Definition 4.1. Let s ( pX p),n denote the random variable that measures the num- 
ber of skyline tuples from a relation ofn tuples, with respect to a two-dimensional 
skyline query. Each of the skyline attributes range overp values, the tuples’ values 
are uniformally distributed over them, and the skyline attributes are statistically 
independent. 

8 This is with the assumption still of statistical independence over the attributes. 
Note that the attributes’ distributions can cause statistical dependence even if the 
attributes remain causally independent. 
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Let s/ p <q >n more generally denote the number of skyline tuples with respect to 
a d-dimensional skyline query under the same conditions. Let s ( p <q„ denote the 
expected value. 

It is straightforward to establish S( p <q >n ’s behavior in the limit, for d, p, and n. 

Theorem 4.1. Bounds on s { p <q„ and s ( p d^ n . 

a. 1 < S(pd^ n < n 

b. lim §/ p d\ n = n 

d—> oo ' 

c. lim s/pd\ n — Sd,n 

p — yoo ' ' 



Ut. XXXXX — , 

n—¥ oo n p d 

Proof. There must be at least one skyline tuple, and at most, there can be n. In 
the limit of d, all tuples will be incomparable. In the limit of p, the probability 
of repeat values diminishes to zero. Once n 1 /p d , with high probability, there 

will be tuples with the highest value on each dimension. Just these tuples, all 
duplicates with respect to skyline attributes, will be skyline. □ 

We are specifically interested in how s { p d), n relates to §<*,„. Does value rep- 
etition (denseness) increase the number of expected skyline tuples, or decrease 
it? Denseness is equivalent to considering a relation that is initially sparse, and 
the tuples’ values are then binned — that is, partitioned — over each attribute into 
just a few bins (values). So the tuples initially share no values, but after be- 
ing binned , they do. Of course after binning, there can be duplicate tuples as 
well. Figure 6 shows two effects that occur. In some cases, a pair of tuples that 
were incomparable before binning may be comparable after binning. Figure 6(a) 
shows this. 9 Tuples A and B were incomparable before. Assume that they both 
are skyline. However, after binning, A trumps B. Thus only A could be in the 
skyline of the binned relation. 10 By this effect, it is possible to lose skyline tu- 
ples. In other cases, all the skyline attribute values of the two tuples become the 
same. Figure 6(b) shows this. Assume that A is skyline but B is not initially. 
Again, two incomparable tuples have become comparable upon binning, but this 
time both A and B might qualify as skyline afterward. By this second effect, it 
is possible to gain skyline tuples, due to resulting duplicate tuples. 

The probability of value sharing occurring, as in Figure 6(a), is much greater 
generally than that of the tuples becoming equivalent, as in Figure 6(b). 11 That 
is, there is a higher probability that tuples will share values on some dimensions, 
but not on all. This gap increases with the number of dimensions. So we generally 
expect the first effect to dominate the second, and for the number of skyline to 
go down due to binning. 

9 The vertical axis represents the attributes’ values. The horizontal axis spans the 
attributes. The two tuples, A and B, are shown in different shades. 

10 We say “could” because some other tuple might trump A after binning by this same 
argument. 

11 This is not the case only in the extreme. For instance, if we bin all values to a single 
bin for each dimension, all the tuples become identical. 
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There is the case when there are many more tuples, n, than possible value 
combinations, p d . In this case, the second effect due to duplicates reigns. By 
uniformity, for each possible value combination, there is with high probability 
a tuple that matches it. Thus, there is a tuple with the best p value on each 
attribute, and so this is the only possibility for skyline. How many skyline tuples 
there are depends on how many duplicates of this best tuple there are. The limit 
in Theorem 4.1(d) reflects this effect. 




2 


1 


1 


1 




X 


x 




1 


2 


2 


1 


X 


X 


x 


x 


1 


2 


2 


1 


./ 


x 


/: 


x 


1 


> 


> 


2 




x 


x 


. — , 



(a) Edges with no repeats, § 2,2 = 3/2. (b) Edges with repeats, § 2 x 2,2 = 11/8. 

Fig. 7. Choose two edges. 



Consider the case of two tuples of two dimensions, with each dimension as 
Boolean. This is the same as considering two edges placed on a 2 x 2 bipartite 
grid, as in Figure 7. If no vertex (value) sharing is allowed, the only possibilities 
are as in Figure 7(a). With vertex sharing, there are sixteen possibilities as in 
Figure 7(b) (choosing two possible edges, with replacement). By our assumptions 
of uniform distributions and independence, all sixteen possibilities are equally 
likely. 

The dark-hued diagonal in Figure 7(b) represents the cases in which there 
are no repeated values. These behave exactly as s 22 . The light-hued diagonal 
are the duplicate cases, so s = 2 over these. The rest are cases of repeats, but no 
duplicates. For these, s = 1. Note there are twice as many cases of repeats (but 
no duplicates) than of duplicates. 

We can solve via the probabilities for s^ pxp ^ 2 (and for higher values of n, 
although it becomes increasingly cumbersome). 

1 3 

Lemma 4.1. s (pxp);2 = H 2 - - + 

Proof. Follows from a case-by-case sum of the probabilities. □ 

For p> 1, s {pxp):2 < s 2 , 2 - 

We can establish more generally that 

Lemma 4.2. s/ p d) ]2 < s d, 2 , for p > 2 and d > 1. 
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Proof. We show S( p d) i2 < 2 — l/2 d ~ 2 + (l/p d )(l/2 d ~ 2 ) and thatsd ,2 = 2 — l/2 d_1 . 
Thus , S( p d) 2 < § d ,2 when p > 2 and d > 1. □ 

We conjecture that this is true more generally for any n, up to a point before 
n saturates the number of admissible values. 

Conjecture 4-1. For n < p d ■ s di „, S( p d^ n < s d , n . 
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(a) Plotting “s( p 6) jl o8” for d = 5. 



(b) Distribution of “s^syio 6 ” ■ 



Fig. 8. S{p5) jl0 6 



This conjecture may be hard to prove, especially for cases of small ro’s and 
p’s. For instance, while S( pxp ),2 < S2,2 (for p > 1), s^xp)^ is not monotone with 
respect to p. Of course, for our purposes, we are only interested in relatively 
large n. To ascertain experimentally s^ p d^ n and the distribution of s ( p dy n , as in 
Section 3, we ran 10,000 trials for each of p = 2 to 2 20 (by doubling) for d = 5 
and n = 10 6 . Figure 8(a) shows this. The error-bars represent the standard 
deviations. Figure 8(b) shows the distribution of s^syio 6 ! and is constructed in 
the same way as those in Figures 5(a), (b), and (c). 

To the left of the nadir in Figure 8(a), the number of tuples dominates the 
possible value combinations, and the distribution counts the number of dupli- 
cates of that best scoring combination. These distributions are true Gaussian, 
by the Central Limit Theorem. (For these, we note that p = a 2 .) Around the 
nadir is the balance point between the duplicate effect and value sharing. Here, 
the distributions are odder, as in Figure 8(b). That distribution is bimodal, in 
which many trials hit the “best” value combination once (and so have a skyline 
of one) and many do not. As we move to the right, the distributions become well 
behaved and Gaussian-like again. The number of skyline is diminished due to 
the value-sharing effect, which acts as dimensional reduction. The distributions 
converge on that of s 5jl0 e (1,880) — shown as the ceiling in Figure 8(a) — as p 
grows and the relation becomes virtually sparse. 

More generally, the distribution of s ( p <y n ) converges on that of s d ,n in the 
limit as p grows, and s^d^ converges asymptotically from below to s d , n - Thus, 
s d,n is a ceiling on s^ p d n p 
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The assumption for s^d. ^ is that any of the p bins are equally likely to have a 
tuple mapped to it. Thus, it is immaterial what the distribution of the attribute 
is, as long as our summary — the partitioning we have chosen — is an equi- width 
histogram of the data. This is a common way to summarize data in databases 
and data warehouses. Under these conditions, s ( p <J jr! ) is a good estimation. 

4.2 Domain Distributions 

In the basic model, we made no assumption about attributes’ distributions, be- 
yond the assumption of sparseness. Under the assumptions of sparseness and 
independence, the distributions are immaterial! This follows directly from The- 
orem 3.1 and its proof, and was illustrated in our discussion in Section 3. For 
one tuple to dominate another along a given dimension, the actual values do not 
matter, per se, just the tuples’ ranks along that dimension. 

Of course when the sparseness condition does not hold -and tuples tie on 
values — the skyline may no longer be independent of the attributes’ distribu- 
tions. In the previous section, we analyzed what happens when the sparseness 
assumption is relaxed, but we kept an assumption of uniform distributions. Now 
let us relax both the sparseness and the uniform distribution assumptions. Specif- 
ically, let us consider the domains’ values under a Zipfian distribution, as this is 
a common distribution in real data. 

Definition 4.2. Under a Zipfian distribution over p values (1 , . . . ,p) with zeta 

p 

constant 2 , the probability of value i is l/ci z (where c = 1 /i z , to normalize 

i = 1 

the probabilities) . Zipfian distributions are also called zeta distributions. Usually 
z is close to unity. 

Let s^ p d n ) denote the number of skyline with respect to d min criteria over n 
tuples for which the the values of each skyline attribute are distributed over p val- 
ues (1, . . . ,p) with a Zipfian distribution with zeta constant z, and the attributes 
are statistically independent. 

We ran Monte Carlo simulations as follows. For each trial , we generated 
one million tuples of d attributes randomly, each distributed with a Zipfian 
distribution across the integer range 1, . . . , 10, 000. A simulation then consisted 
of 10,000 trials. To generate data following a Zipfian distribution, we employed 
the algorithm in [31]. Zipfian data when plotted on a log-log scale is linear. 
Figure 9(a) plots the generator’s results for a million values at zeta values 1.0, 
.8, .6, .4, and .2, respectively, and demonstrates the fidelity of the generator, 
with the artifact of dropping off slightly near unity. 12 

The Zipfian distribution affects the likelihood of a tuple having a good score 
(near 1) on the dimension. The probability that the best possible tuple (all l’s) 
appears in the relation is increased, compared with the uniform distribution. 

12 We exponentially bin points together- l’s, 2-3’s, 4-7’s, 8-15’s, . . . — to accommodate 
the log scale along the x-axis. For 2 = 1.0 we used 2 = 1.001 to avoid a singularity 
for 2 = 1 in the generator’s algorithm. 
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(a) Column’s values at different 2 . 




(b) Plotting “s ((1O 4 ) 5 > lo0 ”. 



Fig. 9. Skyline under Zipfian distributions. 



In Figure 9(b), we plot simulations for zeta values from .1 to 1.2 in .1 steps. 
The results are quite reminiscent to those in Figure 8(a) for varying the number 
of values (p). To the right of the nadir are the cases when duplicates of the 
best tuple constitute the skyline. As before, these are Gaussian by the Central 
Limit Theorem, and p, = a 2 . Consider the simulation with z = .8, near the 
nadir in Figure 9(b). As seen in Figure 9(a), the probability of value 1 when 
z = .8 is about .037. In a million draws (generated tuples), the probability of 
tuple (1, 1, 1, 1, 1) occurring at least once is 7%. The distribution of s ((io 4 ) 5 8 , 106 ) 
is bimodal and is quite similar to that for s^spo 6 } in Figure 8(b). To the left of 
the nadir, the distributions become Gaussian-like again and well-behaved. 

The ceiling, indicated in Figure 9(b), on which S(( 10 4 )5poe) is asymptotically 
converging is s/pcrqspo 8 } (1,737), the expected value for 10,000 partitions but 
with a uniform distribution. This ceiling is lower than Sspo 6 (1,880). The reason 
is that as z decreases, the Zipfian distribution resembles more a uniform one. 

When we consider skyline with respect to max criteria and Zipfian distribu- 
tions, we see something different. In this case for z = .5 (and d = 5 and n = 10 6 ), 
our simulation yields 1,791, which is above the ceiling of 1,737. However, it is 
still below s 5 iq6. What happens now is that the higher values are rarer, and 
therefore are sparser. Most skyline tuples draw on these values (since max is the 
criterion), so it is as if the data is sparse. This will converge asymptotically from 
below on s 510 6 as z increases. 

More generally, S( p d, n ) converges asymptotically from below on s ( p <y n ) for min 
criteria, and on s d,n for max criteria. Our arguments extend for other distribu- 
tions as well. Excluding the case of duplicate saturation, s d,n is a ceiling on the 
expected skyline cardinality. 

4.3 Correlation and Anti-correlation 

Our other assumption in the basic model in Definition 3.1 is that of statistical 
independence of the dimensions (skyline attributes). This is rarely true for real 
data, and skyline cardinality is sensitive to correlation. 
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(r) 

Definition 4.3. Let s d n denote the random variable that measures the number 
of skyline tuples of an n-tuple relation with respect to a d-dimensional skyline 
query, for which the d skyline attributes are statistically independent, save for 
one pair that are pair-wise correlated with correlation r. 

The skyline is affected quite differently by correlation and anti-correlation. 
High correlation between two skyline attributes acts as dimensional reduction. If 
tuple A has a better value on one of the dimensions than B , with high probability, 
it also does on the other dimension. At r = 1.0, that probability is one, so one 
of the dimensions is effectively eliminated. Anti-correlation is the antithesis of 
skyline, however. If A is better than B on one dimension, it is likely that B 
is better than A on the other. At r = —1.0, all tuples are in the skyline. In a 
way, skyline queries with highly anti-correlated skyline attributes do not make 
much sense. One is trying to optimize two values that are strictly trade-offs. 
Nevertheless, any realistic implementation of the skyline operator would have to 
accommodate such cases. 




correlation 
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(a) Plotting “Sg^ o6 ”. 



(b) Distribution of s). ^g. 



Fig. 10. Skyline at different correlations. 



dr) (r) 

To ascertain experimentally n and the distribution of n , as in Section 3, 
we ran 10,000 trials for each of r = —0.9 to 1.0 (and —0.95) by steps of 0.1 for d = 
5 and n = 10 6 . Figure 10(a) shows this. The error-bars represent the standard 
deviations. Figure 10(b) shows the distribution of s^'^g , and is constructed in 
the same way as those in Figures 5(a), (b), and (c). The correlated cases behave 
as expected. Note that a simple linear interpolation between d = 5 and d = 4 
would not be accurate to model the correlation. It would be easy though to 
fit a function for the interpolation. The s do grow as anti-correlation increases, 
but not nearly as fast as expected. As anti-correlation increases, s converges 
towards n very slowly. The distributions remain remarkably well behaved and 
Gaussian-like, and the standard deviations do not diverge rapidly. 

We ought to understand further the effects of multiple correlations, and of 
group correlations (not just pair-wise), on skyline. To do so, it would be best 
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to have a model of multiple correlations that is compatible with the correlation 
information as kept by relational database systems. We plan to pursue this. 

5 Ramifications and Conclusions 

We have found the issues of skyline cardinality to be fascinating in their own 
right, but our primary goal in this endeavor has been to shed light on skyline 
queries, their effective use, and their efficient evaluation. Our analyses and in- 
sights should help us to understand better the uses of skyline queries, and help 
us in this next stage to build better, more robust algorithms for skyline’s com- 
putation. Understanding skyline cardinality should give us and others better 
insights to devising good algorithms for skyline, and for comparing average-case 
performances of such algorithms. 

We have found that the concrete estimate s d, n for skyline cardinality under 
our basic model is a ceiling on the cardinality when the model’s assumptions are 
relaxed, save with two exceptions. This means we have a cardinality estimator 
for use in a relational query optimizer’s cost model to accommodate skyline 
queries. That the concrete estimate s d, n is a ceiling is useful; over-estimations 
are better than under-estimations for the query optimizer. Query performance 
suffers more often when the optimizer’s estimation is too low. 

The two exceptions to the ceiling are the extreme degenerate case when 
the skyline simply consists of many copies of the same best tuple and the case 
of extreme anti-correlation. Both these cases are somewhat antithetical to the 
intention of skyline queries. The optimizer can be easily made to accommodate 
for the first case. It can price the query as if the skyline ’’preferences” were 
regular conditions and do a skyline cardinality estimation, and then pick the 
higher estimate. More is needed for the anti-correlation case, but we note that 
reasonable levels of anti-correlation are not as deadly for skyline as thought. 

To be sure, work remains, and many issues to resolve. Golin [6] showed that 
changing the shape of the space of the points (tuples) can dramatically affect the 
skyline cardinality. For us, conditions prior to the skyline operator in a complex 
query or integrity constraints on the database could have this effect. This requires 
more study, and must be understood for skyline to be fully composable with other 
relational operators. We need a fuller understanding of skyline under correlation, 
for instance how multiple and group correlations affect the skyline, and how the 
attributes’ distributions affect the skyline’s cardinality when their domains are 
very small (that is, p is very small). 

That s diminishes in the presence of data denseness has ramifications for 
users of skyline queries — and preference queries more generally — not just for the 
cost model. A tempting strategy when the skyline query returns too few results 
for the user’s liking is to bin the dimensions’ values further. For instance, we 
might see little difference between a restaurant at which the average meal is 
$24 and one at which it is $21. So we might not want one restaurant trumping 
another on cost unless it were at least $5 dollars less expensive. This could lead us 
to bin price into five dollar brackets. However, this reasonable-seeming strategy 
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backfires. As we have seen in Section 4.1, binning would only reduce further the 
number of choices (skyline answers). 

Skyline queries offer a natural extension to min and max aggregation, and 
allow for one to query for nearest matches to one’s objectives. The skyline op- 
erator, and potential extensions, may offer support for richer classes of queries 
with preferences. It may soon be worthwhile to add the skyline clause — and the 
underlying skyline operator — to relational systems. 

We hope this work also yields more general insights into the nature of multi- 
dimensional data. In the long term, skyline may provide us, in turn, tools for the 
relational model and systems. For example, a skyline operator might provide the 
query optimizer with more efficient plans for evaluating queries with self-joins. 
Skyline statistics may provide a new type of useful database statistics that could 
yield better cost estimations for queries generally. 
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Abstract. We give a general framework for approximate query pro- 
cessing in semistructured databases. We focus on regular path queries, 
which are the integral part of most of the query languages for semistruc- 
tured databases. To enable approximations, we allow the regular path 
queries to be distorted. The distortions are expressed in the system by 
using weighted regular expressions, which correspond to weighted regular 
transducers. After defining the notion of weighted approximate answers 
we show how to compute them in order of their proximity to the query. 
In the new approximate setting, query containment has to be redefined 
in order to take into account the quantitative proximity information in 
the query answers. For this, we define approximate containment, and 
its variants k- containment and reliable containment. Then, we give an 
optimal algorithm for deciding the fc-containment. Regarding the reliable 
approximate containment, we show that it is polynomial time equivalent 
to the notorious limitedness problem in distance automata. 



1 Introduction 

The semi-structured data model [ABS99] is now widely used as a foundation for 
reasoning about a multitude of applications, where the data is best formalized in 
terms of labeled graphs. Such data is usually found in Web information systems, 
XML data repositories, digital libraries, communication networks, and so on. 

Regarding the query languages for semi-structured data, virtually all of them 
provide the possibility for the user to query the database through regular expres- 
sions. The design of query languages using regular expressions is based on the 
observation that many of the recursive queries, which arise in practice, amount 
to graph traversals. In essence, these queries are graph patterns, and the an- 
swers to the query are subgraphs of the database that match the given pattern 
[MW95,ABS99,C+99,C+00]. In particular, the (sub)queries expressed by regular 
expressions are called regular path queries. 

For example, for answering the query 

Q = * ■ article ■ * ■ ref ■ _* • article. hopcroft, 

one should find all the paths having at some point an edge labeled article , fol- 
lowed by any number of other edges then by an edge ref followed at some point 
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by an edge article and immediately after concluding with an edge labeled with 
hopcroft. 

However, we are often willing to live with structural information that is 
approximate. In other words, the semistructured data represented by a graph 
database can be an approximation of the real world, rather than an exact rep- 
resentation. On the other hand, the user herself can have an approximate idea 
and/or knowledge about the world, and this has as a consequence a need for non 
exact information to be extracted from the database. In both cases the conclu- 
sion is that we need to deal with approximate queries and databases, and give 
approximate answers to the user queries. As an example, suppose that the user 
gives the above query, but in the database we have edges labeled papers instead 
of article or we have recorded in the database only books by Hopcroft, and no 
papers authored by him. In both cases, the user would get an empty answer 
under exact query semantics, while it would be very desirable if the system had 
the ability to substitute article by paper “for free,” and to substitute article 
by book with some “cost,” say 3. The system could then warn the user about 
the distortions, by producing a query answer, weighted by the distortion cost. 
The database system administrator could capture such allowed distortions by 
building a weighted regular expression 

(A, 0, A)*, ((article, 1, paper) + (article, 3, book)) . (A, 0, A)* 

This regular expression is defined over symbol- weight-symbol triplets (R,k,S), 
where k is the semantic “cost” of distorting I? to S' 1 , and (A, 0, A) is a shorthand 
for 0, R), with A being the underlying (finite) alphabet. It is easy 

to see that such extended regular expressions exactly correspond to weighted 
transducers, if we think of the transducers as finite automata over symbol-weight- 
symbol triplets. 

For simplicity, we can also allow the system administrator to use word-weiglrt- 
worcl triplets (v, k, w) for building such weighted regular expressions. It can easily 
be shown that the (corresponding) weighted transducers over such word-weight- 
word can be transformed into transducers over symbol-weight-symbol triplets. 
Although the weighted regular expressions over word-weight-word triplets are 
equivalent to the ones over symbol-weight-symbol triplets, the former are easier 
to use when we want to capture path structural distortion, as for example 

( automata, book, author, hopcroft, 1 , automata, book, author, ullman) . 

We can even allow full general regular expressions in the above triplets as for 
example 



( automata. _* . book. _* . hopcroft, 1 , automata. _* . book. * . ullman) . 

The semantics of such triplets is that we can distort any word in the language of 
the first regular expression to any database path spelling a word in the language 



1 R or S could be e as well, but not both. 
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of the second. It can be shown, that we are still able to find an equivalent 
weighted regular expression over the symbol-weight-symbol triplets. 

In this paper, we formally define the notion of weighted approximate answers 
to regular path queries. Given such a query and having available a weighted 
transducer (through a weighted regular expression) we show that we can effec- 
tively compute all the approximate answers on a database. Furthermore, we can 
produce the approximate answers in increasing order of their weight, i.e. from 
the less to the more distorted. 

The similar problem of finding approximate patterns in sequence databases 
is treated in depth in [JMM95]. There, Jagadish, Mendelzon and Milo formalized 
a very powerful rule-based system through which one can specify the possible 
allowed distortions of a word to some other word. Unfortunately, their distortion 
model has an undecidable word problem. Hence, should we use the model of 
[JMM95] , we would not be able to decide in general the membership of a tuple 
in the approximate answer to a query. 

We can say that, the motivation for using weighted regular expressions (i.e. 
weighted transducers) as a distortion model is similar to the motivation for 
using regular expressions for querying recursive graph patterns and not the more 
powerful formalisms such as context-free rule-based grammars. 

Having built our query approximation framework, we turn to defining a query 
containment notion, which takes into account the quantitative distortion infor- 
mation available in the tuples of the answer sets. For this, we define the approx- 
imate containment , and its variants fc-containment, and reliable containment. 
For the first notion, we say that a query is approximately contained in a another 
query, if for any database the tuples for the first query are also tuples for the 
second one, and furthermore, in the second query, those tuples are more reliable, 
i.e. they are obtained through less query distortion. The reason behind this view 
is that, since for obtaining a tuple, the first query needs more distortion than 
the second one, semantically the first is “smaller” than the second. However, as 
we show, this unrestricted notion of approximate query containment does not 
help to much. Hence, in addition, we shall require that on any database the (dis- 
tortion) weight of the tuples for the first query to not be greater than a given 
number, say k, compared to the weight of the corresponding tuples for the sec- 
ond query. We call this k-c out a.i nine lit , and we give an optimal algorithm, based 
on algebraic properties of automata, for deciding such containment between two 
given queries. 

Depending on the application, we might be interested only in the existence 
of the above number k. Namely, we would like to know, for two given queries 
and a distortion transducer, whether there exists a number k, such that on 
any database, the (distortion) weight of the tuples for the first query is not 
greater than k compared to the weight of the corresponding tuples for the sec- 
ond query. We call this variant reliable containment, and show that it is poly- 
nomial time equivalent with the intricate limitedness problem for distance au- 
tomata, intensely investigated by Haslriguchi and others [Has82,Has90,Has00, 
Leu91,Sim94]. 
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2 Basic Definitions 

We consider a database to be an edge labeled graph. This graph model is typical 
in semistructured data, where the nodes of the database graph represent the 
objects and the edges represent the attributes of the objects, or relationships 
between the objects. 

Formally, let A be a finite alphabet. Elements of A will be denoted R,S,.. .. 
As usual, A* denotes the set of all finite words over A. Words will be denoted 
by u, w, . . .. We also assume that we have a universe of objects, and objects will 
be denoted a, 6, c, . . .. A database DB is then a graph (V, E ), where V is a finite 
set of objects and E C V x A x V is a set of directed edges labeled with symbols 
from A. Figure 1 shows an example of a database. If there is a path labeled 
Ri, i?2, . . . , Rk from a node a to a node b we write a RlF ftjf Rk 5 




Fig. 1 . An example of a graph database 



A query Q is a regular language over A. Let Q be a query and DB = (V, E ) 
a database. Then, the exact answer to Q on DB is defined as 

ans(Q, DB) = {(a, b) : {a, 6} C V x V and a b in DB for some w G Q}. 

For instance, if DB is the graph in Figure 1, and Q = {SR,T}, then ans(Q , DB) 
= {(M),(d,b),(c,a)}. 

Let N = {0, 1,2,.. .}. A weighted transducer T = (P, A, r, P 0 , F) consists of 
a finite set of states P, an input/output alphabet A, a set of starting states P 0 , 
a set of final states P, and a transition relation r C P x A* x A* x N x P. 

An example of a weighted transducer ({po,Pi,P2j, {R,S,Tj, r, {po}> {P2}) 
is shown in Figure 2. Intuitively, for instance (po, RT, RS, 2 ,pi) G r means that 
if the transducer is in state po and reads word PT, it emits the word RS at cost 
2 and goes to state pi . 

Given a weighted transducer T = (P, A, r, Po, F), and a word u € A* 
we say that a word w € A* is an output of T for u through a k-weighted 
distortion if there exists a sequence (po, ui, Wi, k\,p\), (pi,U2,W2,k2,P2), •••, 
(p n -i,u n ,w n ,k n ,p n ) of state transitions of r, such that p\ G Po, p n G F, 
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T/S,2 




u = ui ■ ■ ■ Uni w = w i • ■ • w n , and k = k\ + ■ ■ ■ + k n . We denote the set of 
all outputs of T for u (regardless of distortion) by T{u). For a language L C P, 
we define T(L) = \J u ^ L T{v). Later we will also use the notation rel(T) to de- 
note the set of all pairs ( u,w ) £ A* x A*, where w is an output of T when 
providing u as input. Similarly, dom(T) and ran(T’), will be used to denote the 
domain and range of rel{T). 

Given a weighted transducer T, and words u and w, the T- distance between 
u and w is defined as 

, , . fin f{k : w is an output of T for u through a k - weighted distortion} 

d r fu,w) = < -t r/n-t \ 

v ' }oo, if w f. T (u). 

Now, the approximate answer of Q on DB , through a distortion transducer 
T, is defined as 

ansp{Q , DB) = {(a, b, k) £ V x V x N : 

k = inf{d-r(u, w) : u £ Q and a b in DB}} 

For example, in the database DB of Figure 1, if Q = { RTT }, and the distor- 
tion transducer is as in Figure 2, then T{Q) = {RSR, RSS}. We thus have 
ans(Q , DB) = 0, while ans-p{Q, DB) = {(a, d, 3), (c, 6, 3)}. 

For a query Q we want to get also the query itself from the transduction. 
For this reason we will usually consider that the distortion transducers also 
have the ability to “leave everything unchanged.” This can be easily achieved 
automatically by the system, which can add to a distortion transducer a new 
state, say pid, that is both initial and final, as well as the neutral transitions 
{(pidi R, R, OiPid) : R £ A}. Also, for technical reasons we will require that 
there are no “free-distortion” transitions of the form (p, R , S, 0, q), (jp, R, e, 0, q), 
or (p, e, R, 0, q), where f? yf S. Clearly, this restriction although done for technical 
reasons, closely reflects the reality where we should warn the user that we have 
indeed somehow distorted her original query in order to obtain the produced 
tuple(s). Notably, all our lower complexity bounds will be derived by considering 
this class of distortion transducers. 

A transducer (P, A, r, Po, F) is said to be in the standard form if r is a relation 
over P x (Z\U{e}) x (Z\U{e}) x N x P. Intuitively, the standard form restricts the 
input and output of each transition to be only a single letter or e. We call such 
transitions elementary transitions. It is easy to see that any weighted regular 
transducer is equivalent to a weighted regular transducer in standard form. The 
transducer transformation is done by applying the following two steps. 




Query Answering and Containment for Regular Path Queries 



103 



In the first step, we eliminate the transitions of the form (p, w, R± . . . R n , h, q). 
For this, we introduce new states pi, . . . , p„_i and replace such a transition by 
the elementary transitions ( p , w, R\, l,pi), (pi, e, R 2 , 1,P2), ■ ■ -, ( p n —i , C Rm n ~ 
h + l,q). It is easy to see that we can assume without loss of generality that 
n > h — 1. If not we can multiply all the transition weights by an integer factor 
and have the weight greater than corresponding word length. At the end, we 
divide by these factors 2 the weight of the produced tuples. 

In the second step, we eliminate transitions of the form (p, Si . . . S m , R, k, q). 
For this, we introduce new states pi, . . . , p m - 1 and replace such a transition by 
the elementary transitions (p, Si,R, l,pi), (pi, S 2 , e, 1,P2), • • •, (p m -i, S m , e, m — 
k + 1 ,q). Similarly, we assume without loss of generality that n > k — 1. 



3 Computing Approximate Answers 

A graph database can be seen as an NFA where the graph nodes are the automa- 
ton states and all states are both initial and final. Seen from another perspec- 
tive, in the “classical” case of exact semantics (see [MW95,ABS99]), computing 
ans(Q, DB) given the automata Aq for Q and Adb for the database, essen- 
tially amounts to constructing the Cartesian product automaton Aq x Adb (in 
a lazy way) and outputting the pair (a, b), if and only if there is, in the Cartesian 
product automaton, an initial state (_, a) leading to a final state (_, b). 

We show next that for computing ansp{Q , DB ) we can construct an automa- 
ton from the Cartesian product of Aq, T, and Adb- The approximate answer 
can then be read from this automaton, similarly to the “classical” case. 

Let Aq = (Pq, A, tq, Pq q ,Fq) be an e-free NFA that accepts Q, and let T = 
(■ Pr , A t t , P0-7- , Ft) be the distortion transducer in standard form. Considering 
the database DB as another e-free NFA, Adb = {Pdb, A,t D b, Pdb, Pdb), we 
construct the transducer C = (P, A, t, Pq, F), where P = Pq x Pj- x Pdb, 
Pq = Pq q x Po-r x Pdb, F = Fq x Fj- x Pdb, and the transition relation r is 
defined by, for (p, q,r) £ P and R, S € A, 

t= {(( p,q,r),R,S,k,(p',q',r ')) : 

(p, R,p') e tq, (q, R, S, k, q') G r r , (r, S, r') G t D b} U 
{((p,q,r),e,S,k,(p,q',r')) : ( q,e,S,k,q' ) G r T , (r, S', r') G t D b,P& Pq} U 
{{{p,q,r),R,e,k, {p',q',r)) : ( p,R,p ') G tq, ( q,R,q',e,k ) G t t , r G Pdb}- 

It is easy to see that (a, b, k) G ansq-{Q, DB), if and only if there exists, in the 
graph representation of C, a final state (_, _, b) reachable from an initial state 
(_, , a), and the shortest path between them has cost k. 

For shortest paths, both Dijkstra’s algorithm and the Floyd-Warshall algo- 
rithm (see e.g. [AHU74]) could be used. Although the running times for both 
Dijkstra’s and Floyd-Warshall algorithms are asymptotically the same, perhaps 
Dijkstra’s algorithm is better suited in our scenario. The first reason is that 

We might have done several such multiplications. 
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in practice the user might be interested in computing objects reachable only 
from a limited number of objects, for example when we have a rooted database 
graph. In such a case, the running time of Dijkstra’s algorithm is better, since 
we don’t need to compute the shortest paths between all pairs of objects, as in 
the Floyd-Warslrall algorithm. 

The second reason is that most of the time the user is interested only in 
receiving, say, the 20 best answers. Then, the Dijkstra’s algorithm is the ideal 
choice: It processes the nodes in the order of their distance from the source. 
Hence, if we could construct the transducer C on the fly, while at the same 
time applying the Dijkstra algorithm, then we could stop the execution of the 
algorithm after 20 iterations. 

We can construct the transducer C on the fly by utilizing a lazy algorithm 
similar to the lazy query evaluation algorithm of [ABS99] , which in essence con- 
structs the Cartesian product of a query with a database. Notably, the Dijkstra 
algorithm can be elegantly combined with such a lazy construction of C. By 
assuming in addition a temporary cache of the “so far reached” objects (the 
set reach in the afore mentioned book), we can avoid accessing the same ob- 
ject in the database more than once. Because of space limitation, we omit the 
presentation of such a query evaluation algorithm. 

4 Containment 

In this section, we define and study three notions of containment for regular 
path queries under approximate semantics. 

Recall, that a query Q\ is (in the usual sense) contained in a query Q 2 , 
denoted Qi C Q 2 iff ans(Q±, DB) C ans(Q 2 , DB), for all DB’s [GT01]. It is 
easy to see that this notion of query containment coincides with the (algebraic) 
language containment of Q\ and Q 2l i.e. Q 1 C Q 2 iff Q 1 C Q 2 . However, under 
approximate semantics the tuples in the query answers are weighted, and so the 
containment should take into consideration the tuple weights. 

As we know, the smaller the weight of a tuple the better or more reliable it 
is. For out first notion of containment, we say that a query Qi is approximately 
contained in a query Q 2 , if for any database the answer-tuples for Qi are also 
answer-tuples for Q 2 , and furthermore, under Q 2 , those tuples are more reliable. 
The reason behind this view is that, since for obtaining a tuple, Q\ needs more 
distortions than Q 2 , semantically Q± is “smaller” than Q 2 . 

However, the approximate query containment is perhaps not very useful. This 
is because the distance between the corresponding tuples can be arbitrarily large. 
In other words, it could happen that, for any n £ N we can find a database such 
that the tuples obtained for Q\ on this database, have a distortion weight greater 
than n compared to the weight of the corresponding tuples for Q 2 obtained on 
the same database. 

Hence, we are also interested in the quality of the approximate query contain- 
ment. For this, we define the k- containment, which in addition to approximate 
containment requires that the weights of the corresponding tuples do not differ 
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more than a given number k. Also, depending on the application, the mere exis- 
tence of such a number k could be useful to know. For this, we define the reliable 
containment , which asks whether or not there exists a number k, for which the 
^-containment holds. Formally, we have 

1. A query Q i is approximately contained in a query Q 2 , denoted Q\ Er Q 2 , 
when for any database DB , if ( a,b,n ) £ ansp(Q\,DB), then (a, 6, in) £ 
ansp(Q 2 , DB) and m < n. 

2. A query Qi is k-contained in a query Q 2 , denoted Qi Er,fc Q2> if in the 
above we also have that n — m < fc. 

3. A query Qi is reliably contained in a query Q 2 , denoted Qi Q2, if there 

exists a k £ N, such that Q 1 Cr.fc Q2- 

Surprisingly enough, the (unbounded) approximate containment does not 
offer more information in reasoning about queries, than the containment under 
exact semantics. Namely, we show that for any distortion transducer T 

Theorem 4.1. Q ± C T Q 2 iff Qi Q Q 2 - 

PROOF ”If.” From the definition of the approximate answers through a distortion 
transducer, we have that for any database DB , if (a, b , n) £ ans-j-(Q\, DB), there 
exists a word w £ Q±, and a word u such that a — b in DB, and dp(w, u) = n. 
Since Q\ C Q 2 , we have that w £ Q 2 as well, and so, for sure there exists an m 
not bigger than n (i.e. m < n) such that ( a,b,m ) £ ansp(Q 2 , DB). 

’’Only if.” We show that Q 1 C7- Q 2 implies Qi C Q 2 . Let w = R\ . . . /?/, 
be a word in Q\. From w we construct a canonical database DB with vertices 
{a,ci,...,Ch-i,b} and edges {(a, ..., (c h -i, R h ,b)}. Clearly, (a, 6,0) £ 

ansp(Qi, DB), and from Q 1 C7- Q 2 we have that (a, b, m) £ ans'r(Q 2 , DB), 
where m < 0, i.e. m = 0. So, there is a word in Q 2 that without being distorted 
at all can label a path from a to 6 in DB. Since there is only one path between 
a and 6 in DB and this path spells w, we have that w € Q 2 . □ 

In the rest of the paper, we will be interested in the k- and reliable contain- 
ments because of their practical usability. 

Although related, the problems of fc-containment and the reliable contain- 
ment are different. For the fc-containment problem, the input is two queries, a 
distortion transducer, and a fixed number k that the user provides. Then, the 
question is whether the queries are at most “k steps apart,” or not. On the other 
hand, for the reliable containment problem, k is not part of the input, and the 
question is existential. 

Now, we will define the 7”-distance between two queries, and then give a 
necessary and sufficient condition for the k- and reliable containment, based on 
their T-distance. 

Consider a word w on A. The T-distance between Q\ and w is 



dr(Q iiw) = inf{dj-(u,w) : u £ Qi}. 
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Based on that, the T-distance between Q i and Q 2 can be naturally defined as 
dr^QiiQi) = sup{dr(Qi,w) : w £ Q 2 }. 

Returning to our problem, we give the following characterization. 

Theorem 4.2. 

1 - Q 1 Er.fc Q2 if and only if Q\ C Q 2 and dr(Qi,Q2) < k. 

2 . Q 1 Er,u Q 2 */ aud on??/ */ Qi 4 Q 2 aud t/iere is a k € N, swc/i that 
dr{Qh Q2) < fc- 

PROOF. We will prove only the first claim, since the second one follows directly 
from the first. 

”If.” Let DB be a database and (a, b, n) £ ansp{Qi, DB). Since Q\ C Q 2 
we have that there exists a m < n, such that (a, b, m) £ ans-r(Q 2 , DB). Now, 
we want to prove that n — m < k. Since (a, b, to) £ ans'j-(Q 2 , DB ), there exists 
a word w 2 £ Q 2 such that d'j-fw 2 ,u) = to, for some a — b in DB. Now, from 
the condition dj-{Qi, Q2) < k, we have that for the word w 2 , there exists a word 
w 1 £ Q 1, such that d'j-(wi,w 2 ) < k. In plain language, w 1 needs less than k 
transducer distortions to become w 2 . Hence, we finally have 

n < inf{d-r(wi,u) : a — b in DB} 

< k + inf{dq-{w 2 , u) : a —^ 4 - b in DB} 

= k + m, 



i.e. n — to < k. 

“Only if.” The fact that Q\ Er.fc Q2 implies Q 1 C Q 2 follows directly 
from Theorem 4 . 1 . Now, we continue showing that Q\ Et.A; Q 2 implies 
dr{Qi,Q2) < k. Let w = R\...Ri be a word in Q 2 . We construct a canon- 
ical database DB with vertices {a, Ci, . . . , cj_i, 6 } and edges {(a, i?i,ci), ..., 
(q_i, Ri, &)}• Clearly, (a, 6 , 0 ) £ ansq-{Q 2 , DB) and from Q\ jEr,fc Q 2 we have 
that (a, b, n ) £ anS'j-(Qi , DB), where n < k. Observe that, there is only one path 
between a and b in DB and this path spells w. So, we have that dq-{Qi, w) = n, 
i.e. d-j-(Qi,w) < k. Since w was an arbitrary word in Q 2 , we finally get that 
d T (Qi,Q 2 )<k. □ 

Now we will focus on reasoning about dr{Q\ 1 Q 2 ). Let A\ = (Pi, A, n, 
P 0l , Pi) and A 2 = (P 2 , A, r 2 , P 02 , P 2 ) be two e-free automata for Q 1 and Q 2 
respectively, and let C = A 2 x T x A\ = (P, A, r, Pq, F) be a Cartesian product 
transducer constructed as in Section 3 . 

For simplicity of exposition, we we will call a sequence of transitions a path 
(not necessarily simple) in the transducer. Suppose that a path it is the sequence 
of transitions (p 1 ,u 1 ,w 1 ,k 1 ,p 2 ), {p 2 l u 2 ,w 2 , k 2 ,p 3 ), ..., (p n ,u n ,w n ,k n ,p n+1 ). 
We say that n spells u\. . .u n as input, and denote this as m( 7 r) = u\ . . .u n . 
Additionally, we say that it spells w 1 . . . w n as output, and denote this as 
out( 7 r) = w\...w n . Finally, we say that it has weight k, and denote this as 
weight(ir) = k, if k = k\ + ■ ■ ■ + k n . 
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The following lemma says that measuring the distortion through the trans- 
ducer T or C is in essence the same. 

Lemma 4.1. For u,w € A* we have that dp(u,w) = dc(u,w) 

PROOF. From the construction of the Cartesian product transducer C, if there 
is a path ir in T, such that in(n) = u and out(n ) = w, then 7 r is also in C and 
vice versa. Hence, we get dq-(u,w ) = dc(u,w). Otherwise, if there is not such a 
path, we can easily see that dq-(;u,w) = dc(u,w) = oo. □ 

Now, consider the weighted automaton A, that we get if we project out the 
input column of the transition relation of C. Formally, A = (P, A, r 4 , Po, P), 
where r 4 = {(p,R,k,q) : (p, S, R,k,q) € r}. Let p and q be two states of A, 
and let n be a path between them. Suppose outfit) = w. Note that there can 
be more than one path 3 between p and q spelling w. In reasoning about the 
/c-containment we will be interested in the “best” path(s) spelling w, i.e. the 
one(s) with the smallest weight. Let therefore 

dA(p, w, q) — inf {weight (it) : n is a path spelling w and going from p to q in A}. 



Now, we define the distance of A, as 

d(A) = sup{dA(p,w,p) : w is accepted by A,p € Po,q € F}. 

Based on the these definitions, Lemma 4.1, and the construction of the weighted 
automaton A, the following theorem can be easily verified. 

Theorem 4.3. dp(Qi,Q 2 ) = d{A). 

We say that, a weighted automaton A is k-limited (for a given k) if d(A) < k , 
and A is limited if there exists a k £ N, such that A is /c-limited. 

Now, Theorem 4.3 along with Theorem 4.2, say that the fc-containment (re- 
liable containment) is reducible to the /c-limitedness (limitedness) of weighted 
automata. Since such an automaton is constructible in polynomial time on the 
size of Q 1 , Q 2 , and T, we have that the afore mentioned reduction is polynomial 
as well. 

If we restrict ourselves in weighted automata without e-transitions, we get 
a class of automata, which are widely known as distance automata, and whose 
limitedness problem is well known for its intricacy. The first solution was ob- 
tained by Hashiguchi in 1982, and it gave him the key for solving the star height 
problem, that had been open for over two decades. Hashiguchi’s solution runs in 
doubly exponential time. By now, it is known that the problem is PSPACE hard 
[Leu91]. The best known algorithm for deciding whether a distance automaton 
is limited is by Leung [Leu91] and it runs in single exponential time. 

Leung’s algorithm is based on the notion of “distance matrices” which can 
elegantly capture the behavior of distance automata. However, the fact that the 

Such paths could have some e-transitions as well. 
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distance automata are e-free is of essential importance in using Leung’s distance 
matrices. 

In order to make use of Leung’s algorithm for deciding the reliable contain- 
ment (which corresponds to the limitedness problem), we show in Section 6, 
that we can efficiently transform the transducer C into one with e-free output 
transitions, while preserving the semantics of C. Consequently, the automaton 
A, that we obtain from this e-free output transducer, will be e-free as well. 

Unfortunately, Leung’s algorithm is unable to decide the fc-limitedness of 
a distance automaton, which in turn is needed to decide the fc-containment 
of queries. Also, as far as the authors know, there is no previous work on fc- 
limitedness of distance automata. 

In the next section, we provide an optimal solution to the k- limitedness 
problem, by automata constructs. Our solution is applicable to general weighted 
automata, as opposed to only distance automata. 

5 Deciding fc-Containment 

We consider the automaton A, constructed in the previous section, having as 
weights on its transitions only 0 and 1. If not, we can easily “normalize” it by 
replacing each transition ( p , R, m, q), where m > 1, by the sequence of transitions 
(p, R , 1, ri), (ri, e, 1, r 2 ), . . ., (r m _i, e, 1, q). For technical reasons, we also add to 
the transition relation of A the neutral transitions (p, e,p, 0) for each state, i.e. 
self- loops of weight 0, and labeled with e. Evidently, these neutral transitions do 
not alter any salient features of A. However, we can now assume that for any two 
transitions in the automaton A there is always a 0-weiglrted transition between 
them. 

We will need a few simple operations on automata. Let A and B be automata. 
Then we denote with A U B the automaton, obtained by the usual construction, 
recognizing L(A) U L(B). Similarly, A • £>, denotes the automaton recognizing 
L(A).L{B). 

Now, let’s assume that all automata have their states labeled by consecutive 
integers starting from 1. We denote with Aij the automaton obtained from A, 
by shifting the set of initial states to be {«} and the final states to be {j}. Also, 
let 0(_4) be the automaton obtained from A by deleting all transitions with cost 
1. Finally, for {i,j} C {1 ,...,n}, we consider the set of elementary automata 
1 i,j(A), each obtained from A by retaining only transitions between i and j, 
and only those that have cost 1. Observe that, an automaton, say (0(.4))j > j, can 
be a full-fledged automaton i.e. with loops, while an elementary automaton, say 
\j t j{A), is simple in the sense that it does not contain any loops. 

Given a normalized weighted automaton A = ({1, . . . , n}, A, r, S, F), we wish 
to compute an automaton k(.4), such that L(k(_4)) = {w £ L(A) : d^{w) < k}. 

Clearly, if we are able to construct k(_4), then we can decide whether or not 
d{A) < k, by testing the language equality L(k(_4)) = L{A). Hence, by this, we 
cast the decision of the (weighted) fc-containment into a pure regular language 
equivalence test, which can be done in polynomial space. 
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We will construct k(A) by a recursive algorithm obtained from the following 
equations: 

k(A) = A 0 U A 1 U . . . U A k 
where A 0 = 0(A), and for 1 < h < k 

U 

ieSJGF 



where 




for h > 1, and 




l Um£{l n} A iS * A ™J fOT h eVen 

I Um6{l,...,n} A ^m 1)/2 * j f ° r H 0dd 



{m,Z}c{l,...,n} 



We can now show that indeed: 

Theorem 5.1. L(k(A)) = {tc £ L(A) : d^iw) < k}. 

PROOF. We will prove that for all 0 < h < k, the automaton A h , considered as 
graph, consists of all the paths 4 in A with weight exactly h, and going from an 
initial to a final state. So, a word spelled by such a path cannot have distance 
more than h. As a consequence the automaton 

k(A) = /ud 1 U...Ud fc 



will accept all the words in L{A) that cannot have Al-distance more than 
0,1 ,k. From this, our claim follows. 

We proceed by induction on h. For h = 0, the automaton A 0 is in fact 0(A), 
so it consists of all the 0- weighted paths in A , going from some initial to some 
final state. For h = 1, the automaton, say 



A h= U (°(A)i, m • im,KA • (o(A);, j » 

consists of the A-paths starting from state i and traversing any number of 0- 
weiglrted arcs (transitions) up to some state m, then a 1-weiglrted arc going 
to some state l , and after that, any number of 0-weighted arcs ending up in 
state j. Since m and l range over all the possible states, we have that the above 
described paths are in fact all the 1-weighted paths of A going from state i to 
state j. Hence, A 1 will consists of all the l-weiglrted paths of A going from an 
initial to a final state. 

4 By a path we do not necessarily mean a simple path. Some authors use the term 
walk instead. 
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For ft = 2, the automaton, say 



A 2 



= u 

mEjl,... 



A), 






consists of concatenations of the 1-weiglrted paths of A starting from state i and 
going to some state m, with the 1-weiglrted paths of A starting from that state 
to and ending up in state j. Since m ranges over all the possible states, these 
concatenations are in fact all the possible 2-weighted paths of A going from state 
i to state j. Hence, A 2 will consists of all the 2-weighted paths of A going from 
an initial to a final state. 

Now we want to show that for some ft > 2, the automaton, say A/j consists 
of all the ft- weighted paths of A going from state i to state j. We assume that 
this is true for all A//, when m < ft.. Suppose that ft. is even. The case when ft 
is odd can be similarly dealt with. We have that 



A 



1,3 



= u 

mS{ 1 ,... 



A 



h/2 .h / 2 

i,m ^m,j' 



From the induction hypothesis, A f /^ and consists of all the h/2 - weighted 
paths of A going from state i to some state to, and all the h/2 - weighted paths 
of A going from that state to. to state j respectively. Since m ranges over all 
the possible states, from the above equation we get that A l / :] consists of all the 
possible ft- weighted paths of A going from state i to state j. Hence, A h will 
consists of all the lr-weighted paths of A going from an initial to a final state. 

□ 



Notably, writing A/j = U m e{i,...,«} (supposing ft is even) instead 

of naively writing equivalently A'/j = U m e{i,...,n} Ai/m • makes us very 

efficient with respect to ft (and in turn with respect to k ) for computing A/.j 
(and in turn A k /j). In order to see that, suppose for simplicity that ft is a power 
of 2. Now, from our equation A/j = (J me {i we ^ iave that A 2 ^ 
will be a union of n automata of size 2 p (where p is a polynomial on n), A- .■ 
will be a union of n automata of size 4 np, A/ j will be a union of n automata 
of size 8 n 2 p, and so on. Hence, by using our recurrence equation we will get a 
resulting automaton A/ ■, which is a union of n automata of length hn l ° 92h ~ 1 p , 
i.e. the size of A/ :) will be hn l ° 92h p. In other words, had we used the equivalent 
equation A/ :j = U me {i. -^i/Zn * A rn j, the automata A/ :] would be a union 
of n automata of size yroA -1 , i.e. the total size would be pn h . 

We are now ready to show the following theorem. 

Theorem 5.2. The k-limitedness problem is in PSPACE with respect to the 
size of the automaton. Furthermore, the decision can be made in space sub- 
exponential with respect to k. 
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Proof. Recall that to decide whether d{A) < k, amounts to testing the language 
equality L(k(_4)) = L(A). Now, from the above discussion it is clear that the size 
ofk(A) is O(k 2 n lo92k ). So, we can test the language equivalence L(k(_4)) = L(A) 
in polynomial space on the size of A (see [HRS76]), and in sub-exponential space 
on k. □ 

Based on the above Theorem and on Theorem 4.3, we can state the following 
corollary. 

Corollary 5.1. The problem of deciding whether Q i Er.fc Q 2 is wi PSPACE 
with respect to the combined size of Q\, Q 2 , and T. Furthermore, the decision 
can be done in space sub- exponential with respect to k. 

We turn now on the lower bound for deciding the fc-containment. 

Theorem 5.3. The problem of deciding whether Q 1 Er.fc Q 2 is PSPACE-hard, 
even if we know that Q± C Q 2 . 

PROOF. First recall from Theorem 4.2 that Q 1 Qr,k Q 2 is equivalent to 
driQhQ-z) < k. We will now reduce the NFA universality problem to the 
d T (Q 2 ,Qi) < k problem. The universality problem says: given an NFA A , is 
A* C L(A)1 The universality problem is PSPACE complete [HRS76]. 

For an an arbitrary NFA A on A we take Q\ = L(A). We choose Q 2 = A* 
and we take as a distortion transducer T the one that corresponds to the 
free applications of the three edit operations insertion, deletion, and substi- 
tution. The transducer will consist of a single state which will be both initial 
and final and loop transitions to this single state. Formally, this transducer is 
T = ({p}, A , r, {p}, {p}), where the transition relation is 

r = {(p, R, R , 0,p) : R G A} U 
{(p,e,i?, l,p) : R€ A} U 
{(p,R,e, l,p) : R € A} U 
{(p, R, S, l,p) : {R, S}c4 and S ^ R}. 

Intuitively, the above says: For each symbol R in A we will have a transition R/R 
leaving the symbol unchanged at no cost, or, at cost 1, through the transitions 
e/R and R/e we can insert and delete respectively a symbol or finally we can sub- 
stitute at cost 1 a symbol by another through R/S transitions. Clearly, through 
the edit distance transducer any word can be transformed (or distorted) to any 
other word. From this fact, we have that A* C T(L(A)). However, a word can be 
transformed to another different word only through the application of non-zero 
cost edit operations. Hence, d-r(Qi,Q 2 ) < 0 if and only if A* C L(A). □ 

Finally, Corollary 5.1 and Theorem 5.3 imply 

Corollary 5.2. To problem of deciding whether Q\ Er.fc Q 2 is PSPACE com- 
plete with respect to the combined size of Q 1 , Q 2 , and T. 
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6 Deciding Reliable Containment 

As we already mentioned in Section 4, the problem of limitedness for distance 
automata (e-free weighted automata) has been thoroughly investigated 
by [Has82,Has90,Has00,Leu91,Sim94]. However, in all previous works, the re- 
quirement of e-freeness is very essential in devising algorithms for deciding the 
limitedness of automaton distance. 

In this section, we show how to efficiently transform the transducer C into 
one with e-free output transitions, is such a way that the essential features of 
C are preserved. As a consequence, the automaton A., that we obtain from this 
output e-free transducer, will be e-free as well. 

From the transducer C we will construct another “distance equivalent” trans- 
ducer V. We shall use e-closurec(p) , similarly to [HU79], to denote the set of all 
vertices q such that there is path 7 r, from p to q in C, with out(j:) = e. 

Obviously, we will keep all the transitions with non-e output of C in the 
transducer T> , that we are constructing. 

Now, we will insert a transition with P-output ( R ^ e) in T> from a state 
p to a state q whenever there is in C a path 7r, with out{ 7r) = e, from p to an 
intermediate state r and there is a transition with P-output, from that state r 
to the state q. Formally, if C = (P, A, r, Pq, F), then V = (P, A, p, P 0 , G), 
where 

G = F U {p : p £ P 0 and e-closurec(p) D F ^ 0} 

and 

p = {(p, P, S, k, q) : (p, R , S, k, q) £ r and U/fJU 

{(p, w, S,£,q) : S yf e, 3r € e-closurec{p ), such that (r, R, S, m, q) £ r}, 

where w will be a word, such that w = in(n), where 7 r is the 5 cheapest path 
from p to r in C, such that out(jt) = e. Also, the weight l will be the weight of 
7T (going from p to r) plus the weight of the 6 cheapest transition with P-output, 
from state r to state q in C. 

It is easy to verify about the above constructed transducer V that 
Lemma 6.1. rel(V ) C reZ(C), dom(V ) C dom(C), and ran(T> ) = ran{C). 



Then, we show that the distance features of C are preserved in V. 

Lemma 6.2. Let w £ ran(C) = ran(V). Then dc{dom(C),w ) = dx>(dom(V) , w) 
Proof. We have that 

dc(dom(C),w) = inf{dc(u,w) : u £ dom(C)}. 

Let u o £ dom(C) such that dc(uo,w) = dc(dom(C),w), and consider the corre- 
sponding cheapest path 7r, labeled Uq/w, in C. For simplicity suppose that u o is 

5 The cheapest path can be non-unique. 

6 The cheapest transition can also be non-unique. 
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unique. The case when uq is not unique can be handled with some additional 
straightforward omitted technicalities. If none of the edges of i r is labeled with 
e as output, then by the construction we know that the path 7r is also in T> and 
the proof is finished. 

Now, let’s suppose that some part of the path 7r is 

Ri/f, hi Rk-i/e, hk-1 Rk/S, h k 

Pi A P 2 , • ■ • ,Pk— 1 A PkiPk Pk-\- 1; 

where S ^ e. 

We claim that in V we will have the transition (pi, Pi . . . P;,, , S', h,pk+ 1 ) with 
weight h = hi + ■ • • + hk- 

The only way that this could not be true is, if in C there is a path, comprised of 
e-output transitions, which is cheaper than using 7r, of getting from pi to pk ■ Sup- 
pose this cheap path is labeled Tj/e, . . . , T m _ \/e. There could also be a transition 
from pk to pk+ 1 , labeled with T m /S, that is cheaper than the last 7r-transition. 
If such a cheaper path were to exist, and if we think of uq as being of the 
form xRi . . . Rk-iRkV, then for the word U\ = xTi . . . T m _iT m y, we would have 
dc(u\,w) < dc(uo, w), which is a contradiction. Hence (pi, R± . . . Rk, S,pk+ 1 , h) 
belongs to the transition relation of T>. Now, we can decompose the path 7r into 
disjoint (with respect to edges) subpaths such as the above, and subpaths that 
do not have any edge labeled by e on the output. Recall that the subpaths that 
do not have any edge labeled by e on the output are kept in V , and so finally, 
we have that there exists a path a in T> labeled uq /w and with the same weight 
as 7r. From this, we conclude that dc(dom(C),w) > dx>(dom(V),w). 

To prove dc(dom(C),w) < dx>(dom(V),w) we reason in the following way. 
From the Lemma 6.1, we have that rel(V) C rel(C). So, if ( u,w ) £ rel(V ) then 
(it, w) £ rel(C) and by the construction of V we know that for the cheapest path 
in T> labeled with u/w there is a corresponding path in T> labeled with u/w and 
having the same weight. Based on this observation the above inequality follows. 

□ 



If we now eliminate the input from the transitions in T> = (P, A, p 1 Pq , G), 
we obtain an e-free distance automaton A = (P, A, rq , Pq, G), where 

r _4 = {(p, R , £, q) : (p, w, R , fc, q) £ p for some w}, 

and the weight i is given by the weight of the (possibly non-unique) correspond- 
ing cheapest transition in the transducer P, i.e. 

t = inf{k : (p, w, P, k,q) £ p for some w}. 

Now, we can state the following theorem. 

Theorem 6.1. Let Q 1 and Q 2 be queries and T a distortion transducer. Com- 
pute the output e-free Cartesian product transducer V and consider the distance 
automaton A constructed from A. Then, d(>4) = dp(Qi, Q 2 ) ■ 
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PROOF. For p € P 0 and q € G, let w be a word in Q 2 such that there exists a 
path 7T between the states p and q in V spelling w as output, i.e. w = out(n). By 
the construction of V and A, we have that d A (p,w,q) = dx>(dom(V),w). Now, 
by using Lemma 6.2 and Lemma 4.1 we derive 

d A (p,w,q) = dx>(dom(T>),w) 

= dc(dom(C),w) 

= d r (Qi,w). 

Since w was an arbitrary word in Q 2 , we finally get that d{A) = dp(Q i, Q 2 ) - □ 



Hence, we are able now to use Leung’s algorithm [Leu91], which is computa- 
tionally the best known algorithm for solving the limitedness problem (in single 
exponential time), but for which the e-freeness of the automata is essential. 

Additionally, we show the following complexity bound for the reliable con- 
tainment, which says that the exponential time algorithm of Leung is almost the 
best one could do for deciding the problem of reliable containment. 

Theorem 6.2. The reliable query containment problem is PSPACE-hard. 

PROOF. We will give a reverse reduction from the limitedness problem, which is 
known to be PSPACE-hard [Leu91]. 

Let A = ( P , A, t , P 0 , F) be a distance automaton. We take another alphabet 
r of the same size as, but disjoint from A. Let ip be a one-to-one mapping from 
A onto P . Now, from the automaton A we construct a distortion transducer 
T = (P U {Pid}, Aur,p,P 0 U {Pid}, F), where 

P = {(P, k, q) : (p, R, k, q) £ r} U 

{(pid,R,R, 0,p id ) : R € Al) T}. 



Note that by adding the new state pid in the above transducer, we do have 
the property to “leave everything” unchanged that is required from a distortion 
transducer, in order include the original query words, undistorted, in the result 
of transduction. 

Let U be the transducer that get if we drop in T the state pur and let V 
be the identity transducer that get if we drop all the other states and keep pu- 
Clearly, the transducer T can be seen as the union of U and V. 

Now, let Q 1 = dom(U) and Q 2 = ran(U) = L(A). Since, P fl A = 0 and 
Q 1 C r*, while Q 2 C A*, we have that Q\ n Q 2 = 0. So, we cannot get any 
word of Q 2 from Q\ through the O-weighted identity transducer V, i.e. Q\ can 
be distorted only through U (which closely corresponds to A) to Q 2 . 

Finally, from all the above we have that d-r(Q±,Q 2 ) = du(Qi,Q 2 ) = d(A). 
Hence, d(A) < k if dp(Qi, Q 2 ) < k, which by Theorem 4.2 is equivalent with 
Qi Er,fc Q2- □ 




Query Answering and Containment for Regular Path Queries 



115 



References 



[ABS99] 

[AHU74] 

[C+99] 

[C+00] 

[GTOO] 

[GT01] 

[Has82] 

[Has90] 

[HasOO] 

[HU79] 

[HRS76] 

[Kru83] 

[JMM95] 

[Leu91] 

[MW95] 

[MMM97] 

[Pin98] 

[Sim94] 

[WF74] 



Abiteboul S., P. Buneman and D. Suciu. Data on the Web : From Rela- 
tions to Semistructured Data and Xml. Morgan Kaufmann Pulishers. San 
Francisco, Ca., 1999. 

Alio A., J. E. Hopcroft and J. D. Ullman. The Design and Analysis of 
Computer Algorithms. Addison- Wesley. Reading Ma., 1974. 

Calvanese D., G. Giacomo, M. Lenzerini and M. Y. Vardi. Rewriting 
of Regular Expressions and Regular Path Queries. Proc. PODS ’99, pp. 
194-204. 

Calvanese D., G. Giacomo, M. Lenzerini and M. Y. Vardi. View-Based 
Query Processing and Constraint Satisfaction. Proc. LICS ’00, pp. 361 
371 

Grahne G., and A. Thomo. An Optimization Technique for Answering 
Regular Path Queries Proc. WebDB ’00, pp. 99-104. 

Grahne G., and A. Thomo. Algebraic rewritings for optimizing regular 
path queries. Proc. ICDT ’01, pp. 303-315 

Hashiguchi K. Limitedness Theorem on Finite Automata with Distance 
Functions. J. Comp. Syst. Sci. 24 (2) : 233-244, 1982 
Hashiguchi K. Improved Limitedness Theorems on Finite Automata with 
Distance Functions. Theoretical Computer Science 72 (1) : 27-38, 1990 
Hashiguchi K. New upper bounds to the limitedness of distance automata. 
Theoretical Computer Science 233 (1-2) : 19-32, 2000 
Hopcroft J. E., and J. D. Ullman. Introduction to Automata Theory, Lan- 
guages, and Computation. Addison- Wesley. Reading Ma., 1979. 

Hunt H. B. Ill, D. J. Rosenkrantz, and T. G. Szymanski, On the Equiva- 
lence, Containment, and Covering Problems for the Regular and Context- 
Free Languages. J. Comp. Syst. Sci. 12 (2) : 222-268, 1976 
Kruskal J. An Overview of Sequence Comparison. In: Time Warps, String 
Edits, and Macromolecules: The Theory and Practice of Sequence Com- 
parison. D. Sankoff and J. Kruskal (Eds.). Addison- Wesley. Reading Ma., 
1983. pp. 1-44. 

Jagadish H. V., A. O. Mendelzon, and T. Milo. Similarity- Based Queries. 
Proc. PODS ’95, pp. 36-45. 

Leung H. Limitedness Theorem on Finite Automata with Distance Func- 
tions: An Algebraic Proof. Theoretical Computer Science 81 (1) : 137-145, 
1991 

Mendelzon A. O., and P. T. Wood, Finding Regular Simple Paths in 
Graph Databases. SIAM J. Comp. 24 (6) : 1235-1258, 1995. 

Mendelzon A. O. G. A. Mihaila and T. Milo. Querying the World Wide 
Web. Int. J. Dig. Lib. 1 (1) : 57-67, 1997 

Pin. J. E. Tropical Semirings, in Idempotency, J. Gunawardena (ed.) Cam- 
bridge University Press, pp. 50-69, 1998 

Simon I. On Semigroups of Matrices over the Tropical Semiring. Infor- 
matique Theorique et Applications 28 (3-4) : 277-294, 1994 
Wagner R. A., and M. J. Fischer. The String-to-String Correction Prob- 
lem. J. ACM 21 (1) : 168-173, 1974 




Weak Functional Dependencies in Higher-Order 

Datamodels 

— The Case of the Union Constructor — 



Sven Hartmann, Sebastian Link, and Klaus-Dieter Sclrewe 



Massey University, Information Science Research Centre 
Private Bag 11 222, Palmerston North, New Zealand 
[s .hartmann I s . link I k. d. schewe] Omassey . ac .nz 



Abstract. We present an axiomatisation for weak functional depen- 
dencies, i.e. disjunctions of functional dependencies, in the presence of 
several constructors for complex values. These constructors are the tu- 
ple constructor, the set-constructor, an optionality constructor, and a 
union constructor. The theory is smooth and rather uniform, if the union- 
constructor is absent. Its presence, however, complicates all results and 
proofs significantly. The reason for this is that the union-constructor 
comes alomg with non-trivial restructuring rules. In particular, if the 
union-constructor is absent, a subset of the rules is complete for the im- 
plication of ordinary functional dependencies, but this does not hold, if 
the union constructor is present. 



1 Introduction 

In the relational datamodel (RDM) a lot of research has been spent on the the- 
ory of dependencies, i.e. first-order sentences that are supposed to hold for all 
database instances [3,19]. Various classes of dependencies for the RDM have been 
introduced [22] , and large parts of database theory deals with the finite axioma- 
tisation of these dependencies and the finite implication problem for them. That 
is to decide that a dependency p is implied by a set of dependencies S, where 
implication refers to the fact that all finite models of E are also models of ip. 
The easiest, yet most important class of dependencies is the class of functional 
dependencies. Armstrong [5] was the first to give a finite axiomatisation for FDs. 

Dependency theory is a cornerstone of database design, as the semantics of 
the application domain cannot be expressed only by structures. Database the- 
ory has to investigate the implications arising from the presence of dependen- 
cies. This means to describe semantically desirable properties of “well-designed” 
databases, e.g., the absence of redundancy, to characterise them (if possible) 
syntactically by in-depth investigation of the dependencies and to develop algo- 
rithms to transform schemata into normal forms, which guarantee the desirable 
properties to be satisfied. 

However, the field of databases is no longer the unique realm of the RDM. 
First, so called semantic datamodels have been developed [8,16], which were 
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originally just meant to be used as design aids, as application semantics was 
assumed to be easier captured by these models [6,9,25]. Later on some of these 
models, especially the nested relational model [19], object oriented models [20] 
and object-relational models, the gist of which are captured by the higher-order 
Entity-Relationship model (HER.M, [23,24]) have become interesting as data- 
models in their own right and some dependency and normalisation theory has 
been carried over to these advanced datamodels [12,17,18,19,21]. Most recently, 
the major research interest is on the model of semi-structured data and XML 
[1], which may also be regarded as some kind of object oriented model. 

We refer to all these models as “higher-order” datamodels. This is, because 
the most important extension that came with these models was the introduction 
of constructors for complex values. These constructors usually comprise bulk 
constructors for sets, lists and multisets, a (disjoint-)union constructor, and an 
optionality or null-constructor. In fact, all the structure of higher-order datamod- 
els (including XML as far as XML can be considered a datamodel) is captured 
by the introduction of (some or all of) these constructors. 

The key problem is to develop dependency theories (or preferably a unified 
theory) for the higher-order datamodels. The development of such a dependency 
theory will have a significant impact on understanding application semantics and 
laying the grounds for a logically founded theory of well-designed non-relational 
databases. 

So far, mainly keys and FDs for advanced datamodels have been investigated 
[7,11,10] and led to several normal form proposals [4,15]. Only the work in [15] 
contains explicit definitions of redundancy and update anomalies and proves 
(in the spirit of the work in [26]) that the suggested higher-level normal form 
(HLNF) in the presence of FDs is indeed equivalent to the absence of redundancy 
and sufficient for the absence of update anomalies. Another difference is that the 
work in [4] tries to reduce the problem to dependencies arising from a relational 
representation of XML documents, thus (similar to [17]) restricts the attention 
to those FDs that arise from the relational representation, whereas our work 
addresses the problem in the context of types for nested attributes and subtyping. 

So far our work on functional dependencies exploited the set-constructor only. 
For this case an axiomatisation was presented in [14,13]. Particular care had to 
taken for a generalisation of the extension rule, which does no longer hold in 
general. In this article we continue our work and investigate the combination 
with the union-constructor, which will increase the complexity of the problem 
tremendously. We have to take restructuring rules into consideration and extent 
the order on equivalence classes of attributes. Then we achieve an axiomatisation 
for weak functional dependencies, but this axiomatisation contains additional 
axioms. Surprisingly, the completeness proof for functional dependencies only, 
i.e. without disjunctions, cannot be generalised. Thus, in order to derive all 
implied functional dependencies we have to reason with disjunctions. 

In Section 2 we briefly define our abstract model of attributes and investigate 
the structure of the set of subattributes of a given nested attribute. We obtain 
a lattice with a relative pseudo-complement operation, but we lose the distribu- 
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tivity, i.e. we do not get a full Brouwer algebra. Then in Section 3 we present 
sound axioms and rules for functional and weak functional dependencies. Before 
we can approach the completeness of these rules in Section 5 we need technical 
results on ideals and strong higher-level ideals (SHL-ideals, Section 4), i.e. ideals 
with additional closure properties. The main result of the technical Section 4 is 
the existence of values that coincide exactly on a given SHL-ideal. We refer to 
this result as the Central Lemma. The Central Lemma will be the most impor- 
tant tool in the completeness proof. Due to limited space all proofs that are only 
technical and use boring structural induction had to be omitted. 

2 Algebras of Nested Attributes 

In this section we define our model of nested attributes, which covers the gist 
of higher-order datamodels including XML. In particular, we investigate the 
structure of the set S(X) of subattributes of a given nested attribute X. We 
show that we obtain a non-distributive Brouwer algebra, i.e. a non-distributive 
lattice with relative pseudo-complements. 



2.1 Nested Attributes 

We start with a definition of simple attributes and values for them. 

Definition 1. A universe is a finite set If together with domains (i.e. sets of 
values) dom(A) for all A £ 11. The elements of 'll are called simple attributes. 

For the relational model a universe was enough, as a relation schema could 
be defined by a subset R C 11. For lriglrer-order datamodels, however, we need 
nested attributes. In the following definition we use a set £ of labels, and tacitly 
assume that the symbol A is neither a simple attribute nor a label, i.e. A ^ lfU£, 
and that simple attributes and labels are pairwise different, i.e. It fl £ = 0. 

Definition 2. Let 'll be a universe and £ a set of labels. The set N of nested 
attributes (over If and £) is the smallest set with A € N, It C N, and satisfying 
the following properties: 

— for X £ £ and X [, . . . , X' n G N we have X{X [, . . . , X' n ) £ N; 

— for Ie£ and I' £ N we have X{X'} £ Dsf; 

— for X \,. . . , X n £ £ and X[,..., X’ n £ N we have Ai(A()©- • •© X n {X' n ) £ N. 

We call A a null attribute, X(X[, . . . , X' n ) a record attribute, X{X'} a set 
attribute, and A'i(X() © • • • © X n (X' n ) a union attribute. As record and set at- 
tributes have a unique leading label, say X, we often write simply X to denote 
the attribute. 

We can now extend the association dona from simple to nested attributes, 
i.e. for each X £ N we will define a set of values dom(X). 
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Definition 3. For each nested attribute X £ IN" we get a domain dom(X) as 
follows: 

- dom{ A) = {T}; 

- dom(X(X(, . . . ,X' n )) = {(Xi : vi,...,X n : v n ) \ £ doro(X') for i = 

1 ,...,«} with labels X,; for the attributes X'; 

- dom(X{X'}) = {{tq, . . . , v n } | Vi £ dom(X') for i = i.e. each 

element in dom(X{X'}) is a finite set with elements in dom(X')\ 

- dom(X \{X[) ® ■ • ■ ® X„(X(J) = {(Xi : Vi) \ Vi £ dom(X' i ) for i = 1, . . . , n}. 

Note that the relational model is covered, if only the tuple constructor is used. 
Thus, instead of a relation schema R we will now consider a nested attribute 
X, assuming that the universe 11 and the set of labels £ are fixed. Instead of an 
f?-relation r we will consider a finite set r C dom(X). 

2.2 Subattributes 

In the dependency theory for the relational model we considered the powerset 
CP (R) for a relation schema R. C J’(R) is a Boolean algebra with order C, intersec- 
tion D, union U and the difference — . 

We will generalise these operations for nested attributes starting with a par- 
tial order >. However, this partial order will be defined on equivalence classes of 
attributes. We will identify nested attributes, if we can identify their domains. 

Definition 4. = is the smallest equivalence relation on N satisfying the follow- 
ing properties: 

- A = X(); 

- X(X' 1 ,...,X' n ) = X(X(,...,X' n ,X ); 

- X(X(, . . . , X' n ) = X(X^ (1) , . . . , X’ a{n) ) for any permutation a- 

- Xl(X() © • • • ® X n (X' n ) = Xl(W^ (1) ) © • • ■®X n (X' a{ y > ) for any permutation 
c; 

- X(X[, ...,X' n ) = X(Y lt . . . , Y n ) iff X[ = Yi for all* = 1, ... , n; 

- X^XO®- ■ -®X n (X' n ) = X^n)©- • -®X n (Y n ) iff X; = Yi for all* = 1 

- X{X'} = X{Y) iff X' = Y; 

- X(X{, Y 1 (Y{) © • • • © Y m (YJ, ,X' n ) = Yi(Xj, . . . , Y{, . . . ,X’ n ) © • • • © 

Y m (X[,...,Y^...,X' n y, 

- XjX^XO © • • • © x„(x;)} = X(X 1 {X(}, . . . , X„{X^}). 

Basically, the equivalence definition (apart from the last three cases) states 
that A in record attributes can be added or removed, and that order in record 
and union attributes does not matter. The last two cases in Definition 4 cover 
restructuring rules that were already introduced in [2]. Obviously, if we have 
a set of labelled elements, we can split this set into n subsets, each of which 
contains just the elements with a particular label, and the union of these sets is 
the original set. 

In the following we identify N with the set N/= of equivalence classes. In 
particular, we will write = instead of =, and in the following definition we should 
say that Y is a subattribute of X iff X > F holds for some X = X and Y = Y. 
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X(X,{A},X 2 {fl}) 



X(.V.{,4}) 



X(Xi{A 



,*»{*}) 



X(Xa{R}) 



X(Xi{A}) X{\} X(X 2 {A}) 



Fig. 1 . The lattice S(X{AT(A) © X 2(B)}) 



Definition 5. For X,Y £ N we say that Y is a subattribute of X, iff X > 
Y holds, where > is the smallest partial order on AT satisfying the following 
properties: 

- X > A for all X £ N; 

- x{Y 1 ,...,Y n ) > x(x; (1)) ... ’Xff( m )) f° r some injective er : {1 —> 

{!,•••, n} and Y a{{) > X' a{i) for alH = 1, . . . , m; 

- Xi(Yi) ©• • -©X n (T„) > X cr ( 1 )(X^ 1 ^ ) ) ® • • • ® X CT („)(X^ n )) for some permu- 
tation a and K t > X[ for all i = 1, . . . , n; 

- X{Y} > X{X'} iff Y > X'- 

- X(X n {A}, . . . > * {il ,..., lfc} {A}. 

Note that the last case in Definition 5 arises from the restructuring for 
sets of unions. We have to add a little remark on notation here. As we iden- 
tify © ••• © X n (X^)} with X(X 1 {X[)}, . . . ,X n {X' n }), we obtain 

subattributes X(X^ {X^ },..., X ik {X- }) for each subset / = C 

{l,...,n}. As we can also indentify such a subattribute with X{X il {X[ i ) © 
• • -(BX ik (X- )}, we obtain subattributes of the form “X{A}” for all such subsets 
of indices. In order to distinguish these subattributes from each other, we use 
new labels Xj and write X/{A}. Note that X®{\} = A, Xr-, n }{A} = X{A} 
and X {i} {A} = X(Xi{A}). 

Further note that due to the restructuring rules in Definitions 4 and 5 we may 
have the case that a record attribute is a subattribute of a set attribute and vice 
versa. This cannot be the case, if the union-constructor is absent. However, the 
presence of the restructuring rules allows us to assume that the union-constructor 
only appears inside a set-constructor or as the outermost constructor. This will 
be frequently exploited in our proofs. 

Obviously, X > Y induces a projection map 7 Ty '■ dom(X) — > dom(Y). For 
X = Y we have X > Y and Y > X and the projection maps 7 Ty and 7 rj are 
inverse to each other. 
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We use the notation S(X) = {Z £ N | X > Z} to denote the set 
of subattributes of a nested attribute X. Figure 1 shows the subattributes of 
X{Xi(A) © X 2 (B)} = X(Xi{A}, X 2 {B}) together with the relation > on them. 
Note that the subattribute X{A} would not occur, if we only considered the 
record-structure, whereas other subattributes such as A(Xl{A}) would not oc- 
cur, if we only considered the set-structure. This is a direct consequence of the 
restructuring rules. 



2.3 The Brouwer Algebra Structure 

Let us now investigate the structure of §(Af). We obtain a non-distributive 
Brouwer algebra, i.e. a non-distributive lattice with relative pseudo- 
complements. 

Definition 6. Let £ be a lattice with zero and one, partial order <, join U 
and meet IT C has relative pseudo-complements iff for all Y, Z £ C the infimum 
Y 4— Z = H{U | U U Y > Z} exists. Then Y 4— 1 (1 being the one in C) is 
called the relative complement of Y. 

If we have distributivity in addition, we call L> a Brouwer algebra. In this 
case the relative pseudo-complements satisfy U > (Y 4— Z) iff (U U Y > Z), but 
if we do not have distributivity this property may be violated though relative 
pseudo-complements exist. 

Proposition 1. The set S(AT) of subattributes carries is structure of a lattice 
with zero and one and relative pseudo-complements, where the order > is as 
defined in Definition 5, and A and X are the zero and one, respectively. 

It is easy to determine explicit inductive definitions of the operations n 
(meet), U (join) and 4— (relative pseudo-complement). This can be done by 
boring technical verification of the properties of meets, joins and relative pseudo- 
complements and is therefore omitted here. 

Example 1. Let X = X{Xi(A) © X 2 (B)} with S(X) as illustrated in Figure 1, 
Y\ = X{A}, Y 2 = X(X 2 {B}), and Z = X(Xx {A}. Then we have 

z n (Yi u y 2 ) = x(Xi{A} n (X{\} u x{x 2 {B})) = 

XiX^A}) n A(Xl{A}, X 2 {B}) = X(A!{A}) ^ A = A U A = 
(A(Xi{A}) n X{A}) u (XiXiiA}) n x{x 2 {B})) = {z n n) u(zn y 2 ) . 

This shows that §(X) in general is not a distributive lattice. Furthermore, Y' U 
Z >Y\ holds for all Y' except A, A(Xl{A}) and X{Xi{A}). So Z 4— Yi = A, 
but not all Y ' > A satisfy Y ' U Z > Yi . □ 
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3 Sound Derivation Rules for Weak Functional 
Dependencies 

In this section we will define functional and weak functional dependencies on 
S(X) and derive some sound derivation rules. The first thought would be to 
consider single nested attributes, as in the RDM U corresponds to the union U, 
and n to the intersection (~l. However, if we treat functional dependencies in this 
way, we cannot obtain a generalisation of the extension rule. Therefore, we have 
to consider sets of subattributes. 

Definition 7. Let X £ N. A functional dependency (FD) on S(X) is an expres- 
sion y — > Z with y, Z C S(X). A weak functional dependency (wFD) on §(X) is 
an expression {y, — > Zi \ i £ 1} with an index set / and y i} Zi C S(X). 

In the following we consider finite sets r C dom{X ), which we will call simply 
instances of X. 

Definition 8. Let r be an instance of X. We say that r satisfies the FD y — > Z 
on S(X) (notation: r |= y — > Z) iff for all ti,t 2 G r with 7Ty (ti) = Tty (< 2 ) for all 
Y € y we also have w* (t 1 ) = 7 (t 2 ) for all Z £ Z. 

r satisfies the wFD — > Zi \ i £ on S(X) (notation: r \= -jy,; — > Zi \ i £ 

/}) iff for all ti, t 2 £ r there is some i £ I with {t\,t 2 } \= y,; —> Zi. 

According to this definition we identify a wfD {y Zf, i.e. the index set 
contains exactly one element, with the “ordinary” FD y — > Z. 

Let A be a set of FDs and wFDs. A FD or wFD ip is implied by A (notation: 
A |= -0) iff all instances r with r \= ip for all p £ A also satisfy ip. As usual we 
write A* = {ip \ A |= ip}. 

As usual we write A + for the set of all FDs and wFDs that can be derived 
from A by applying a system 9! of axioms and rules, i.e. A + = {ip | A b?; ip}. 
We omit the standard definitions of derivations with a given rule system, and 
also write simply b instead of b<^, if the rule system is clear from the context. 

Our goal is to find a finite axiomatisation, i.e. a rule system 91 such that 
A* = A + holds. The rules in 91 are sound iff A + C A* holds, and complete iff 
A* C A+ holds. 



3.1 Axioms and Rules for Functional Dependencies 

Let us first look only at “ordinary” FDs. We indicated above that we cannot 
obtain a simple generalisation of Armstrong’s extension rule for FDs in the 
relational model, so we will need a particular notion of “semi-disjointness” that 
will permit such a generalisation. 

Definition 9. Two subattributes Y,Z £ S(A) are called semi-disjoint iff one 
of the following holds: 

1. Y > Z or A > Y; 

2. X = X(X 1 ,...,X n ), Y = X(Yi,. . . , Y„), Z = X(Z u ...,Z n ) and Y u Zi £ 
S(Xj) are semi-disjoint for all i = 1, n; 
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3. X = X x (X[) © • • • © X n (X' n ), Y = Xi(Y{) © • • • © X n {Yff), Z = X^Z[) © 
• • • © X n {Z' n ) and Y’, Z[ G S(X-) are semi-disjoint for all* = 1, . . . , n. 

Note that for the set- and multiset-constructor we cau only obtain semi- 
disjointness for subattributes in a >-relation. With the notion of semi- 
disjointness we can formulate axioms and rules for FDs aud show their soundness. 



Theorem 1. The following axioms and rules are sound for the implication of 
FDs on S(X): 



A axiom: 


0 -G- {A} 


( 1 ) 


subattribute axiom: 


{Y} -G {Z} } ~ Z 


( 2 ) 


join axiom: 


-p r t 7 - Y, Z semi-disjoint- 

{Y, Z}^{YUZ} 1 J 


(3) 


reflexivity axiom: 




(4) 


extension rule: 


y -g z 
y ^yuz 


(5) 


transitivity rule: 


y^z z^u 
y^u 


( 6 ) 


set axiom: 


{*/{A}, Xj{A}} -g {X /U< 7 {A}} 1 0 J ~ 0 


(7) 


set lifting rule: 







{Y}^Z 

{X{T}} -G {X{Zj \ Z eZ} 



X = X{X’}, Y G S(X'), Z c S(X') 



(8) 



record lifting rule: 



Vi Z-i 

{X(A, ...,Y i ,...,A)lY l ey i }^ {X(A, . . . , Z if . . . , A) | Z, G ZJ 

with conditions £ : X = X(Xi, . . . , X n ) and y,;, Zj C §(Xj) (9) 

union lifting rule: 

~ ^ Zi 

{• • • © X.i(Yf) © • • • | Yi G —>•{••■© Xi(Zi) © • • • | Zi G Zj} 

with conditions C : X = X(Xi, . . . , X n ) and y,;, Zi C S(X'), y, ; ^ 0 



(10) 



We omit the easy proof. Note that (4), (5) and (6) are the Armstrong-axioms 
that are well-known from the RDM. Axioms (1), (2) and (3) are structural axioms 
dealing with the Brouwer algebra structure on S(X). The set-axiom (7) is only 
needed in the presence of the union-constructor. The same applies to the lifting 
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such 



( 11 ) 
(12) 

(13) 

For the union rule (11) we use the following derivation: 

yuz->y y^u 

yuz^u 

y^z yuz->yuzuu yuzuii-^zuii 
y^yuz yuz^zuii 

y ->zuu 

For the fragmentation rule (12) we use the following derivation: 

y^z Z -> {Z} 

y^m 

Finally, for the join-rule (13) we use the following derivation: 

pm life ^ .. 

{y}^{y,z} |y,z}^{yuz} 

{F} -> {Y U Z} 



rules (8), (9) and (10). If the union-constructor is absent, we can only “lift” 
FDs that can also be derived without using the lifting rules. 

It is easy to derive additional rules: 

union rule: 

fragmentation rule 

join rule: 



y^z y^u 
y ^zuu 
y^z 

ymzj Z€Z 
m ->• m 

{F} {F U Zj 



F, Z semi-disjoint 



3.2 Axioms and Rules for Weak Functional Dependencies 

The axioms and rules in Theorem 1 only apply to “ordinary” FDs. For the 
implication of wFDs we need additional axioms and rules. 

Theorem 2. The followinq axioms and rules are sound for the implication of 
wFDs on 8(A): 

— union axiom (for X = A{Ai(A{) ® ■ ■ ■ ® X n (X' n )} and I = {V, . . . ,ik})’- 

{{AHA}} -4 {Aj{A}}, {AHA}} -4 {ApQjA-}, . . • , A.JA'J)}} 1 5 3 

(14) 

— partition axioms (for X = A{Ai(A{) ® ■ • • ® X n (X' n )} and I C {1, . . . , n} ): 



{{A 7 {A}} -4 {A/ju// {A} | 0 ^ I[ C I u 0 ^ /' C J 2 }, 

{A,{A}} -»• {A(A,{A})} | / = h U J 2 , h n I 2 = 0, h ± 0 ± h, i G 1} 
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and 



{{*/'{A} I r n h t 0 + V n I 2 } u {X/JA}} -> {X(X;{A})} I 

I = hiih,isl\ 



(15) 



— plus/minus axioms (for X = X{Xi(X{) ® ■ ■ ■ ® X n (X( l )}): 



{{A} — > {^Ju{i}(A} I J Q I }> {-A’{i,...,n}{A}} — > {AT/-{A}}, 
{X(X,{A})} -> {X},{A} {X(X fc {A})} | i,j €l+,kG I~\ 



with condition G : {1, . . . , n} = I + U I and 



1{A^/-{A}} —> {Xju{,;}{A} | J C I }, {X^u^jjA}} —> {X/f{A}}, 
{X(X,{A})} {X},{A} {X(X fc {A})} | i,j G I+,k G I~l 

with condition 6 : {1, . . . , n} = I + U I~ , K C I~, £ G I + (16) 



— weakening rule: 



— left union rule: 



— > Zi | i G /} 



{V ->• Zi | i G 1} 
V$i — > Zi | i G /} 



y = 1J & 

iei 



— shift rule: 



(17) 



(18) 



{y u Hi ->• {Z} \ z e zu (U- Hi)} . . .{y\ju k -> {Z} | z g z u (H - u fc )f 

jy^{Z}\ze zf 

with condition G : CP(H) = {Hi, . . . , H*,} (19) 



Proof. The soundness of the weakening rule (17) is trivial. Therefore, we con- 
centrate only on the other axioms and rules. For the union axiom (14) let 
X = X{Xi(X[) ©••• ©X„(X{J = X(X 1 {X{},...,X n {X;}), Y = X,{A}, 
Zi = Xj{A} and Z 2 = X(X(X 4l {X^ },..., X ik {X'J). Let h ,t 2 G r with 
7i"y(t i) = 7 Ty(t 2 ) and 7r^ (fi) ^ TTz^t-z). Thus, one of t\ or t 2 — without 
loss of generality let this be t 2 — must not contain elements of the form 
(Xj : Vj) with j G J. On the other hand, either ri and t 2 both contain ele- 
ments of the form (Xj : vf) with i G / or both do not. As I C J, it follows 
7r x(x i {\})(^ 1 ) = 7r x(Xj{A})(^ 2 ) = 0 for a11 * e I, which implies ?rf 2 (ti) = 7rf 2 (t 2 ). 
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For the first partition axiom (15) let ti,t 2 £ r with Ty/{a}(U) = 7r x J {A}(^ 2 ) 
and 7 Ty(A' {A})(^i) ^ 7r x(_Y i {A})(* 2 ) ^ or all * £ /• Let Ij C I be such that tj 
contains an element of the form (Ay : ry) for all i £ Ij ( j = 1,2). Obviously, 
J = Ji U J 2 and 7r x i /{A}(^ 1 ) = 7r A I /{A}(^ 2 ) ^ or all I' — d with L'fl/i yl 0 yl J'fl / 2 . 

For the second partition axiom (15) assume ^(y (a})(U) 7 ^ 7I ’y(x-{a})(^ 2 ) 
for all* £ J and 7r x j ,{A}(^ 1 ) = 7r A J ,{A}(^ 2 ) ^ or all ^ with /'fl/i yl 0 yl /'n/ 2 , 
in particular, AYr{A}(ti) = 7r Y / {A}(^ 2 )- Using the same construction of /i and J 2 
again, we obtain 7rJ ? { A }(^i) y^ 77^ {a} (^ 2 ) ? which proves the claim. 

For the first plus/minus axiom in (16) let t\, t 2 satisfy Ty,,{A}(U) = 
7 r A-{A}(^ 2 ) and 7 r Y fc {A}(U) 7 ^ 7 r A fc {A}(^ 2 ) ^ or all 3 £ L + and k £ Assume 

that for all i £ / + there is some JCT with 7 Ly J u{ } {a}(U) 7^ 7 r A JU{ } {a}(^ 2 )> 

i. e. one of these projections must be 0. As we have n* {a}(U) = 7r Y i {A}(^ 2 )’ 

these must both be 0, which implies + {\ }(Aj) = ® for J = 1,2. Now 

^{Al^i) ± 7r£ fc{ A}(* 2 ) for a11 k £ so if tt* _ {A} (ti) ± 7r^_ {A} (f 2 ) holds, 
one of these projections must be 0 again, which implies that one tj is 0, the other 
not empty. That is tt£ {i n}{A }(U) y^ tt£ {i n}{A} (t 2 )- 

For the second plus/minus axiom in (16) let again ti, t 2 satisfy Ay{A}(U) = 
7r A {A}(^ 2 ) an d 7 r A fc {A}(U) 7 ^ n x k {X}(^ 2 ) ^ or ad 3 £ d + and k £ I - . Now assume 
7 t'y _{ A j(U) = t^y {a} (^ 2 )- Then, argueing in the same way as for the first par- 
tition axiom we obtain a partition I~ = I\ U I 2 with 7r Y J /{A}(U) y^ 7r Y J /{A}(^ 2 )> 
whenever 0 yl /' C Jy or 0 yl /' C / 2 , and Ay 7 ,{A}(U) = 7F y j /{a}(^ 2 ) ^ or all I' 
with /' fl Ii ^ 0 ^ F fl / 2 . Now assume that for all i £ J + there is some J C I~ 
with 7r x JU{ } {A}(^ 1 ) 7r Y JU{ } {A} (^ 2 ) • Same as for the first plus/minus axiom we 

conclude tt £ J+{A} fe) = 0 for j = 1,2. Now, if tt^ {a} (<i) ± 7rf x{A} (t 2 ), i.e. 
K ^ U or ^ U I 2 , then we also have ^x KU{e} {X}(^) ± n x Kum {X}( t2 )- 

For the left union rule (18) assume r — > Zi \ i £ /}, i.e. there exist 

ii, t 2 £ r such that for all * £ I we get 7Ty(ii) = 7Ty(t 2 ) for all Y £ y* and 
TTz.(t 1 ) yl 7r^. (t 2 ) for some Z, £ Z*. In particular, ^(tj) = 7Ty(t 2 ) for all 
Y £ y, hence r ^ {y -» Zy | i £ /}. 

For the shift rule ( 19 ) assume r — > {Z} \ Z £ Zf, i.e. there exist 

ti,t 2 £ r such that 7rj^(ti) = 7 ry(f 2 ) for all V £ V and (ti) yl 7r Jp(t 2 ) for all 
Z £ Z. Take a maximal It' C U such that tt* ( t±) = 7r^(t 2 ) for all C/ £ 11 '. If 
we had r |= {y U U' — > {Z} \ Z £ Z U (It — 'll')}- we would have U' C It, and 
there would exist some V £11 — 11' with Xy (ti) = 7 Ty (t 2 ), which contradicts the 
maximality of 11. □ 
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Using the axioms and rules for wFDs we may also derive additional rules for 
FDs: 



{X(X t {A}),X{A}} {X(X,{X'}} 

{X^A})} -> {X^X'})} 
{X(X j; {X'})} {X{A}} 

{A'(Xj{A})} -> {X{A}} 



X = X{X 1 (X[)(B---®X n (X' n )} 



X = X{X l {X' l )®---®X n {X' n )} 



For the first rule we use the following derivation, in which the last step applies 
the shift rule with 0 = {{ApQjA})} -»• {X(X i {X! i })}, {X(Xj{A})} -»• {X{A}}} 
and U = {X{A}}: 



{{X(X t {A}),X{A}} -> {XjXjjXl}}} </> 

fl{*PQ{A})} {X^X'})}! 



For the second rule we use the following derivation, in which we apply the 
shift rule (19) with 11 = {X(Xi{X'})} and the same </>: 

{A(AA{A}), X(X,-{A7}} -> {A(AA{A'})} {X(X,;{Xa)} -> {X{A}} 

{{XCAAIA}), A(A,{A'})} -> {X{A}}} 

1{X(A,;{A})} {A{A}}} 



4 SHL-Ideals 

In this section we investigate ideals. Of particular interest will be ideals with 
additional closure properties, which we call “strong high-level ideals” or SHL- 
ideals for short. These ideals will appear naturally in the completeness proof in 
the next section. The main result of this section is Lemma 1. 

In general, an ideal for a nested attribute A is a subset Q C §(A) with A £ S 
and whenever Y £ S, Z £ S(X) with Y > Z, then also Z £ Q. Let us now 
address the closure properties that will turn ideals into “higher-level” or “strong 
higher-level ideals” . 

Definition 10. Let A £ A. An SHL-ideal on S(X) is a subset 2f C 8(A) with 
the following properties: 

1. A £ T; 

2. if Y £ 3 and Z £ 8(A) with Y > Z, then Z £ J; 

3. if Y, Z £ 3 are semi-disjoint, then Y U Z £ T; 

4. a) if X/{A} £ 1 and Xj{A} ^ f for I C J, then 

A(A il {A' i }, . . • , X ik {X' ik }) £ T for I = {i lt . . 

b) if A/{A} £ T and X(Xi{A}) £ 8(A) — T for all i £ /, then there is a 

partition I = 7i U 1% with X/jjA} ^ 3\ A/ 2 {A} ^ T and A// {A} £ 2r for 
all V C I with /' fl L 7^ 0 ^ fl I2; 

c) if A{! >n j{A} £ r J and A/- {A} ^ T (for /“ = {*£ {l,...,n} | 
A(Aj{A}) ^ T}), there there exists some i £ I + = {i £ {l,...,n} | 
A(Aj{A}) £ T} such that for all J C I~ AjupjjA} £ T holds; 
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d) if X/-{A} £ T and for all i £ I + = {i £ {1, . . . , n} | X(Xj{A}) £ T} 
there is some J C I~ with XjurqjA} ^ T, then for all £ £ I + and all 
K C I~ with X K {\} ^ T we also have X KU ^{\} ^ T; 

5. if X/{A} £ T and Xj{ A} £ T with I fl J = 0, then X/ujjA} £ J; 

6. a) if X = X(X' , . . . , X' n ), then ^ = {Y t £ S(X') | X(A, . . . , Y u . . . , A) £ J} 

is an SHL-ideal; 

b) If X = Xi(X() ® • • • ® X n (X' n ) and T ^ {A}, then the set 3j = {Fj £ 

S(X') | Xi(A) ® • • • ® Xi(Yi) ® ■ ■ ■ ® X„(A) £ T} is an SHL-ideal; 

c) if X = X{X'} and 9 ^ {A}, then S = (F £ S(X') | X{F} £ T} is a 
semi-SHL-ideal. 

An ideal satisfying properties 1-3 will be called HL-ideal. An ideal is called 
a semi-SHL-ideal iff it satisfies properties 1, 2, 4 and a modification of 6, in 
which we only require a semi-SHL-ideal instead of an SHL-ideal. 

A semi-SHL-ideal S can be written as a union of SHL-ideals, say S = dfiU- • -U 
‘Hk.. If there is no inclusion among these SHL-ideals, we say that {Jfi, . . . , 3C} 
covers 5- 

The next lemma is the main result of this section. Its proof is very technical 
and lengthy, and is omitted here. 

Lemma 1 (Central Lemma). Let X be a nested attribute such that the union- 
constructor appears in X only inside a set- constructor. If 9 is a SHL-ideal on 
S(X), then there exist tuples ti,t 2 £ dom(X) with ny(ti) = 7r^(f 2 ) iff T € 
9. Furthermore, if S is a semi-SHL-ideal on S(X), then there are finite sets 
Si,S 2 C dom(X) with { 7 Ty(r) | r £ Si} = {ny (r) | r £ S 2 } iffY £ S- 

5 The Completeness of the Derivation Rules 

In this section we want to show that the axioms and rules from Section 3 are 
also complete. This gives our main result. 

Before we come to the proof let us make a little observation on the union- 
constructor. If X = Xi(X() ® ■ ■ ■ ® X„(X(J the each instance r of X can be 
partionecl into r, (i = 1, . . . ,n), where r t contains exactly the X,-labellecl ele- 
ments of r. Then r satisfies a FD p = y — > Z iff each r, satifies the i’th projection 
Pi of p, which results by replacing all subattributes Y = Xi(Yi) ® • • • ® X n (Y n ) 
in y or Z by Xj(Fj). Similarly, we see p £ E + iff p i: £ Ef for all* = 1, . . . , n. 

Theorem 3. The axioms and rules in Theorems 1 and 2 are complete for the 
implication of wFDs. 

Proof. Let E be a set of wFDs on S(X) and assume > Zi | * £ I\ £ E + . 
Due to the union rule (11) we must have {y t —> {Zi} \ i £ /} ^ E + for 
some selected Z t £ Z t . Furthermore, due to the left union rule (18) we get 

\y -»• {Zi} \i£i}(jtE+ with y = u Vi- 

i£l 

Let Z = {Z | Z > Zi for some i £ 1} and 11 = S(X) — y — Z. Due to the 
reflexivity axiom (4) we obviously have Zi (f y, and then y fl Z = 0 due to the 
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subattribute axiom (2). Due to the shift rule (19) there must exist some IX' C l( 
with {y U 'll' — » {Z} | Z £ Z U (11 — 11')} ^ E + . Otherwise we could derive 
{y — > {Z} | Z £ Z}, and thus {y — > {Z.i} \ i £ /} £ E + contradicting our 
assumption. 

Take It' maximal with the given property. We show that T = y U 11' is a 
SHL-ideal. 

1. Assume 2f = 0. This implies Z U It = §(X) and thus {|0 {Zj \ Z £ 
S(A)} ^ E + . This wFD, however, can be derived from {0{A}} £ E + (due 
to the A axiom (1)) using the weakening rule (17). Thus, T is not empty. 

2. Now let Y £ ‘J and Y > Y' Assume Y' ^ T. So Y' £ 11, otherwise we get 
Y' £ yuZ, which implies Y' > Zi for some i £ I and furtheron Y >Y' > Zj, 
which gives the contradiction Y £ Z. 

Now take It" = U' U {Y'}. The subattribute axiom (2) together with the 
extension and transitivity rules (5) and (6) implies y U It' — >■ y U 'll" £ E + . 
As It' was chosen maximal, we also have {]yull" — > {Zj | Z £ ZU(U — It")} £ 
E + . Using the transitivity rule (6) again, this gives {y U It' —> {Z} \ Z £ 
ZU(U — U")f £ E + . Then the weakening rule (17) leads to the contradiction 
\y U It' -► {Zj | Z £ Z U (11 - It')} £ E+. 

3. Let Y u Y 2 £ J be semi-disjoint. Assume Y = Y\ U Y 2 ^ 3\ If Y £ It, 
we take It" = It' U {Y}. Due to the maximality of It' we get \y U It" — > 
{Zj | Z £ Z U (It — It")} £ E + , thus by the weakening rule (17) also 

jjy u it" -> {z} | z £ zu (it- u')} £ r+. 

On the other hand, the join axiom (3) implies {Yi,Y 2 } — > {Y} £ E + . Using 
the reflexivity axiom (4), the extension rule (5) and the transitivity rule (6) 
we obtain y U 'll' — > y U It" £ E + , from which we get the contradiction 
fly U 11' — > {Z} | Z £ Z U (U - It')} £ E + by another application of the 
transitivity rule. 

If Y ^ It, we get Y £ Z, thus {Y} is among the right hand sides in fly Ull' — > 
{Zj | Z £ Z U (It — It')} ^ E + . However, the join rule (13) together with 
the reflexivity axiom and the transitivity rule imply y U H' — > {U} £ U + , 
hence the weakening rule leads to the contradiction jy U It' — > {Z} \ Z £ 
ZU(U-lt')} £ S+. 

4. Assume W/{A} £ T, but (Xj{A} ^ T for {*i,...,*fc} = I C J. 
As S(X) is partitioned into Z U (It — It') and T = y U It', we must 
have Aj{A} £ Z U (It — It'). From the union axiom (14), the transi- 
tivity rule and X(A/{A}) £ 1 we conclude jy U U' — > {Z} \ Z £ 
{Xj{X},X(X il {X' ii }, . . . ,X ik {X' ik })}} £ E + . Due to the weakening rule 
(17) it follows |y U It' -> {Z} | Z £ W} £ U+ for all W C §(A) with 
Xj{X},X(Xi 1 {X' ii }, . . . , X ilc {X' ik }) £ W. According to the definition of It' 
we must have either Atj{A} ^ ZU (It — It') or X{Xi 1 {X ' ii ) , . . . , X ik (X' t }) ^ 
Z U (It — It'), which implies X(X il {X ' ii }, . . . , X ik (X' fc }) £ J. 

The same argument applies for X{At'(A/{A})} £ T, but X{X’j{ A}} ^ J for 
{ii,..., ik } = / C J. Just use the set lifting rule (8) in addition. This implies 
. . . , Xi k {X' ik })} £ 3\ This shows that the embedded ideal 
S = {Y £ 8(A') | X\Y] £ T} satisfies this property, too. 
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Furthermore, the same argument applies for X(A, . . . , X i7 {A}, . . . , A) £ T 
and X(A, . . . ,X ii7 {A}, . . . , A) ^ T for {ii,...,ik} = I C J. Just use the 
record lifting rule (9) in addition. 

This implies X(A, . . . , X.^X^-flX'J , ... , X ifc {X' fe }), . . . , A) £ T, and shows 
that the embedded ideal Si = {Yi S S(X,) | X(A, . . . , Y), . . . , A) £ J} satisfies 
this property, too. Analogously, using the lifting rule for unions we can show 
this property for the embedded ideals induced by the union-constructor. 

5. Assume X 7 {A} £ 3\ but X(Xj{A}) ^ £F for all i £ I. In particular 
X(Xi{A}) £ Z U (U — 'll'). Using the first partition axiom (15), the tran- 
sitivity rule and X 7 {A} £ T we conclude -fly U 11' — > {X 7 ' U7 /{A},y U U' — > 

{X(Xj{A})} | 0 ± I[ C h, 0 ± I' 2 C J 2 } | I = h U h, i £ 1} £ S+. 

If for all partitions I = I\ U we had at least one X 7 / U7 /{A} £ ZU ('ll — It'), 
we can apply the reflexivity axiom, the transitivity rule and the weakening 
rule to derive -fly U 11/ — > {Z} \ Z £ Z U ('ll — It')} £ X+ contradicting 

the assumption on U'. Therefore, there is a partition I = I\ U I 2 with 
{X/juj' {A} | 0 ^ I[ C Ji.0 ^ I’ 2 C I 2 } C J. If we had X 7l {A} £ T for all 
such partitions, we would get {X 7 /{A} | /'fl/i ^ 0 ^ /'n/ 2 }U{X 7l {A}} C T, 
thus using the reflexivity axiom, the transitivity rule, the second partition 
axiom, the fact X(X 7 {A}) £ ZU(ll— ll') for all i £ I holds, and the weakening 
rule, we obtain again the contradiction -fly U It' — > {Z} | Z £ Z U (U — 'll')]}- £ 
S+. Thus, X/ 1 {A},X /a {A} i J. 

Using again the lifting rules we obtain the corresponding property for em- 
bedded ideals. 

6. Assume X.^ ..., n }{A} £ T, X 7 -{A} ^ T and for all * £ I + there is some 
J C I~ with Xju{j}{A} ^ 1. Let this J be denoted as A. Taking the first 
plus/minus axiom (16), the left hand side of the FDs are always in T. There- 
fore, using the reflexivity axiom and the transitivity rule we derive -flT — > 

{XjJA}},^ {X},T^ {X,{A}},T^ {Xj-jA}} | i £ /+, j £ I~\ £ S+. 
Now the right hand sides of the FDs are all not in £F, so the weakening rule im- 
plies -flT — > {Z} \ Z £ S + contradicting the construction of T, accord- 
ing to which S(X)-T = ZU(ll-ll'). and -JT ->• {Zj | Z £ ZU(U-U')|}- i S + . 

7. Assume X 7 -{A} £ 2r and for all i £ I + there is some J C I~ with 

{A} ^ 1 - let this be denoted as J; - and further assume there is 
some £ £ I + and some K C I with X^-flA} ^ J, but Xxu{«}{A} £ 3 r . 
Taking the second plus/minus axiom for this K and l, all left hand side 
of the FDs are always in T. Therefore, using the reflexivity axiom and the 
transitivity rule we derive -JT — > {X^-flA}},? - — > {X},T — > {X^ {A}} , IT — > 
{X/-{A}} | i £ I + ,j £ I - } £ E + . Now the right hand sides of the FDs 
are all not in £F, so the weakening rule implies -flT —> {Zj \ Z ^ T} £ E + 
contradicting -JT — > {Z}\ Z ^ S + . 

8. Assume X 7 {A}, Xj{ A} £ T with Jn J = 0. If X 7U j{ A} ^ T, then X 7U j{A} £ 
Z U (U — 'll'). As before we can derive y U U' — > {X 7u j{A}} £ X + using 
the reflexivity axiom, the second multiset axiom and the transitivity rule. 
Then the application of the weakening rule leads to -fly U 'll' —> {Z} \ Z £ 
Z U (II — U') J- £ S + contradicting the assumption on 'll'. 
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Due to the restructuring rules in Definition 4 we may assume that only the 
union-constructor appears in X only inside a set-, list- or multiset-constructor 
or as the outermost constructor. 

Let us first assume that the outermost constructor is not the union- 
constructor. Then we can apply the Central Lemma 1, which gives us r = 
{fi,f 2 } Q dom(X) with 7Ty (U) = 7Ty (£ 2 ) iff Y G = y U IF. In particular, 
7Ty(ii) = 7Ty(t 2 ) for all i G I and Y G Vi, and 7r^.(fi) ^ 7r^(t 2 ) for all i G I. 
That is, r {] y, — >■ {4} | i G /}. From the soundness of the fragmentation rule 
(12) we conclude r — > Zi \ i G /}. 

Now assume that the outermost constructor of X is the union-constructor, 
say X = Xi{X[) ® ■ ■ ■ ® X n (X' n ). We know that £F = y U It' is a SHL-ideal on 
S(X). If £F = {A}, then take t\ = (X-j : t\) and f 2 = (X 2 : t 2 ) with arbitrary 
tj G dom(Xj). Then 7 ry(tr) = 7 r y(t 2 ) iff Y = A. As before this implies r 
Vdi -t Zi | i G 4 with r = {ti,t 2 }. 

For J ^ {A} take the embedded SHL-ideal 3y on S(X'). Using the Central 

Lemma 1 we find iji,fj 2 G dom(X[ ) with 7Ty*(fii) = ’K Y i (ti 2 ) iff 1) G 4- 

As we have {T — > {Z} | Z G Z U (U — IF)} ^ A + , we must also have 
{Tj — > {Zj | Z G (Z U ('ll — lF))jf ^ Xf for at least one j. In particular, for 
Zi = X 1 (Z' 1 ) ® ■ ■ • ® X n (Z' n ) we find some j such that Z'j ^ Fy for all j G I. 

Now take r = {( Xj : tji),(Xj : fj 2 )}. Then for all i G I and all Y = 
Xi(Yi) ® ■ ■ ■ ® X n (Y n ) G ^ C IF we have lj G Tj, and we obtain 

({Xj ■ tj 1 )) = (Xj : tt^(^i)) = (Xj : 7 t y * (t j2 )) = TTy ((Xj : f j2 )) . 

On the other hand, Z'j £ Fy implies 

7rf.((^7 : tji)) = (4? : (tji)) ± (^i : ^ fea)) = nz f (( X j : ^ 2 )) 

tj tj 

for all i G /. That is r {y^ — » {Zi} \ i G /}, and hence r \/= — > Z, | i G 

4 by the soundness of the fragmentation rule (12). 

We will now show r |= £ in both cases. This implies r \= £*, and thus 
j^i — > Zi | i G 1} £*, which completes the proof. 

First assume again that the outermost constructor is not the union- 
constructor. Let {Vj — > W j | j G J} G £. 

1. If Vj y U IF for some j G J, we get 7 Ty(t\) ^ TTy (f 2 ) for some V G Vj. 
Thus r f= Vj — > W j and due to the soundness of the weakening rule also 
r |= iv j _> Wj | j G 4 . 

2. If Vj C y U IF for all j G J, we get y U IF — > Vj G £ + from the rcflexivity 
axiom, {y UlF — > W j | j G J} G £ + from the transitivity rule, and §yuU' — > 
{Wj} | j G J} G £ + for any choices Wj G W j from the fragmentation rule. 
Assume we could select W :] G Wj — y — U' for all j G J. Then the weakening 
rule implies {y U U' {W} \ W G S(X) — y — It'} G £ + . However, §(A) — 
y — IF = Z U (U — IF), so we get a contradiction to the choice of It'. 
Therefore, we must have Wj C y U 'll' for some j G J. By construction of r 
we get 7r$r(ti) = 7Tjy(t 2 ) for all W G Wj, thus r (= Vj — > Wj. This implies 
r |= {Vj — > Wj | j G 4 due to the soundness of the weakening rule. 
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If the outermost constructor is the union-constructor we just have to show 
r \= Sj. The proof is analogous to the case before. □ 

This main theorem shows the axiomatisation of wFDs. If £ is a set of “or- 
dinary” FDs, we can apply the axioms and rules to £ and then the FDs in £ + 
will be the implied FDs. Of course, we would like to have an axiomatisation for 
FDs that avoids such a detour via the wFDs. 

6 Conclusion 

In this paper we investigated functional dependencies and weak functional de- 
pendencies (i.e. disjunctions of functional dependencies) in the presence of a 
record constructor, a constructor for the null value “not exists” , a finite set con- 
structor, and a disjoint union constructor. We achieved a finite axiomatisation 
for weak functional dependencies. 

The main technical tool for the completeness proof was a central lemma on 
SHL-ideals, i.e. ideals with certain additional closure properties as they arise 
from closures of sets of subattributes with respect to a given set of functional 
dependencies. Roughly speaking the central lemma guarantees the existence of 
values that coincide exactly on the SHL-ideal. The proof of the central lemma 
is quite elegant, as long as the union-constructor is absent. However, in the 
presence of the union-constructor, the proof becomes a bit awkward. Fortunately, 
the presence of restructuring rules for the union-constructor allows us to assume 
that the union constructor only appears as the outermost constructor or inside 
a set-constructor. 

The next steps are to extend the theory in several directions covering multi- 
valued dependencies, error-robustness, null values “unknown” , and references. 
We strongly conjecture that the results on SHL-ideals will turn out again to be 
a valuable proof tool. 

Furthermore, we would like to extend the theory also to multisets and lists, 
which add further restructuring rules. At the time of completing this paper the 
corresponding proof of the Cover Lemma including these two constructors was 
still flawed. Finally, we may think of projecting lists onto multisets — just forget 
the order of the elements — and multisets onto sets — forget the multiplicities. 
This would further extend the lattices of subattributes. 
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Abstract. Nested lists are used as a data structure whenever order mat- 
ters. List types are therefore supported by many advanced data models 
such as genomic sequence, deductive and object-oriented data models 
including XML. 

It is studied what impact the presence of the finite list type has on the 
two most important classes of relational dependencies. A finite axioma- 
tisation of functional and multi-valued dependencies in databases sup- 
porting base, record and finite list types is presented. In order to capture 
different data models at a time, an abstract algebraic approach based on 
nested attributes and subtyping is taken. This algebraic framework to- 
gether with a new inference rule allowing to derive non-trivial functional 
dependencies from multi-valued dependencies make the generalisation of 
the well-known theory from the relational data model natural. 



1 Introduction 

In designing databases the semantics of the application domain has to be cap- 
tured as completely as possible. As this cannot be expressed solely by structures, 
we have to use dependencies, i.e. , sentences in a logic suitable for the data model 
used. Database theory has to investigate the implications arising from the pres- 
ence of dependencies. This means to describe semantically desirable properties 
of “well-designed” databases, e.g., the absence of redundancy, to characterise (if 
possible) them syntactically by in-depth investigation of the dependencies and to 
develop algorithms to transform schemata into normal forms, which guarantee 
the desirable properties to be satisfied. 

In the relational data model (RDM, [2,34]) a lot of research has been done 
on dependency theory and normal forms. Starting with the seminal work by 
Cocld [18] normal forms such as third normal form (3NF), Boyce-Codcl normal 
form (BCNF, [10,19]) and fourth normal form (4NF, [20,21,22] ) have been intro- 
duced to characterise the absence of redundancy and update anomalies in the 
presence of functional and multi-valued dependencies (FDs, MVDs), though a 
theoretically convincing justification for these normal forms was given only 20 
years later [42]. Roughly speaking, a functional dependency X — > Y requires 
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that whenever two tuples of a relation coincide on X, they must also coincide 
on 7. A multi-valued dependency X -» Y requires that whenever two tuples of 
a relation coincide on X, their values on Y must be mutually exchangeable and 
thus generate additional tuples. 

Various other classes of dependencies for the RDM have been introduced 
(see [39] for an overview) and large parts of database theory deals with the 
finite axiomatisation of these dependencies and the finite implication problem 
for them, i.e. , to decide that a dependency <p is implied by a set of dependencies 
X, where implication refers to the fact that all finite models of X are also models 
of tp. Armstrong [4] was the first to give a finite axiomatisation for FDs, and Beeri 
and others gave a finite axiomatisation for FDs and MVDs [9] and developed 
various versions of efficient decision algorithms [6,7,8]. 

During the last couple of decades, many new and different data models have 
been introduced. First, so called semantic data models have been developed [16, 
28], which were originally just meant to be used as design aids, as application 
semantics was assumed to be easier captured by these models [5,17,41]. Later on 
some of these models, especially the nested relational model [34], object oriented 
models [36] and object-relational models, the gist of which are captured by the 
higher-order Entity- Relationship model (HERM, [40]) have become interesting 
as data models in their own right and some dependency and normalisation theory 
has been carried over to these advanced data models [24,26,27,31,33,34,38]. The 
work in [26] provides a finite axiomatisation of FDs in the presence of sets. The 
expressiveness, however, deviates from those in previous works on FDs in the 
nested relational model [31,33]. Therefore, a new normal form is proposed in [27] 
and it is semantically justified by formally proving the equivalence to the absence 
of redundancies and the sufficiency for the absence of any update anomalies. Most 
recently, the major research interest is on the model of semi-structured data and 
XML [1], which may also be regarded as some kind of object oriented model. 
The work in [3] considers FDs arising from a relational representation of XML 
documents. There are, however, different concepts of FDs in the context of XML, 
each resulting in a different expressiveness. See [25] for a detailed discussion. The 
only paper that studies MVDs in advanced data models is [43] . Their approach is 
similar to the one in [3], and no axiomatisation results are provided. The authors 
are not aware of any work in the literature that specifically deals with lists and 
the class of FDs and MVDs, nevermind an axiomatisation. 

One key problem is to develop dependency theories (or preferably a unified 
theory) for the most relevant advanced data models. These are probably the 
HERM as a nested model with various bulk type constructors, good theoreti- 
cal foundations and proven practical relevance [40], the object oriented model 
[36], the semi-structured data model and XML [1], which add unions and most 
importantly references, the expansion of which leads to rational tree structures. 
The development of such a dependency theory will have a significant impact 
on understanding application semantics and laying the grounds for a logically 
founded theory of well-designed databases. Biskup [13,14] lists in particular two 
challenges for database design theory: finding a unifying framework and extend- 
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ing achievements to deal with advanced database features such as complex object 
types. 

In order to pursue a unifying framework and capture several data models at 
a time our work is based on an abstract approach in the context of types for 
nested attributes and subtyping. In the present paper we consider the perhaps 
most common data type: finite lists. There are several reasons for this choice. 
The need for lists arises from applications that store ordered relations, time- 
series data, meteorological and astronomical data streams, runs of experimen- 
tal data, multidimenstional arrays, textual information, voices, sound, images, 
video, etc. Lists have been subject to studies in the deductive and temporal 
database community for some time [35,32]. The list type also naturally appears 
in object-oriented databases [36,23] and is in particular important for XML [1, 
44]. Recently, bioinformatics has become a very important field of research. Of 
course, lists occur naturally in genomic sequence databases [37,15]. 

The paper is organised as follows. The algebraic framework is introduced in 
Section 2. It is demonstrated that the set of subattributes for some fixed nested 
attribute carries the structure of a Brouwerian Algebra (co-Heyting Algebra). 
This generalises the framework of a Boolean Algebra from the RDM. We show 
in Section 3 how to obtain a sound and complete set of inference rules for the 
implication of FDs in the presence of lists. In Section 4 we add MVDs and 
generalise the well-known result that MVDs are satisfied by some relation exactly 
when this relation can be decomposed in two of its projections without loosing or 
adding information. The main result is a finite axiomatisation for the class of FDs 
and MVDs. The inference rules are natural generalisations of their counterparts 
from relational databases. It turns out, however, that an additional rule allowing 
the derivation of non-trivial FDs from MVDs is needed (which is impossible in 
the RDM). We briefly comment on future research in Section 5. 

2 The Algebra of Nested Attributes 

This section introduces a data model based on the nesting of attributes and 
subtyping. It may be used to provide a unifying framework for the study of 
complex object types such as records, lists, sets, multisets, unions and references. 
This article, however, focuses on records and lists. 

2.1 Nested Attributes 

We start with the definition of flat attributes and values for them. 

Definition 2.1. A universe is a finite set U together with domains (, i.e., sets 
of values) dom(A) for all A £lst. The elements of U are called flat attributes. □ 

For the relational data model a universe was sufficient. That is, a relation 
schema is defined by a finite and non-empty subset 1Z C IA. For higher-order 
data models, however, nested attributes are needed. In the following definition 
we use a set C of labels, and assume that the symbol A is neither a flat attribute 
nor a label, i.e., A ^ U U C. Moreover, flat attributes are not labels and vice 
versa, i.e., U C l £ = 0. 
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Definition 2.2. Let W be a universe and C a set of labels. The set AfA = 
A fA(U, C) of nested attributes over U and C is the smallest set satisfying the 
following conditions: 

— A G AfA, 

— U C A fA, 

— for L G £ and Ni, . . . ,Nk G AfA with k > 1 we have L(Ni , . . . , N k ) G AT A, 

— for Lg£ and AT G A/A. we have L[N\ G A/A.. 

We call A null attribute , L(N\,... ,N k ) record-valued attribute and L[N] list- 
valued attribute. □ 

We can now extend the mapping dom from flat attributes to nested at- 
tributes, i.e., we define a set dom(N) of values for every nested attribute 
N G AfA. 

Definition 2.3. For a nested attribute N G AfA we define the domain dom(N) 
as follows: 

— dom{ A) = {ofc}, 

— dom(L(N 1 , . . . ,N k )) = {(ui,... ,v k ) \ G dom(Ni) for i = 1, ... ,k}, i.e., 
the set of all k - tuples (vi, . . . , v k ) with Vi G dom(Ni) for all i = 1, ... , k, 
and 

— dom(L[N]) = {[ui, . . . ,i>„] | Vi G dom(N) for i = 1, . . . , n}, i.e., the set of 

all finite lists with elements in dom(N). □ 

The empty list is denoted by [ ]. Note that the relational data model is 
completely covered by the presence of tuple-valued attributes only. Instead of 
relation schemata R we will now consider a nested attribute N, assuming that 
a universe U and a set C of labels are fixed. An f?.-relation r is then replaced by 
some finite set r C dom.(N). 

2.2 Subattributes 

Dependency theory in the relational data model is based on the powerset V(R) 
for a relation schema R. In fact, V{R) is a powerset algebra with partial order 
C, set union U, set intersection fl and set difference — . We will generalise these 
operations for nested attributes starting with a partial order <. 

Definition 2.4. The subattribute relation < on the set of nested attributes AfA 
over U and C is defined by the following rules, and the following rules only: 

— N < N for all nested attributes N G AfA, 

— A < A for all flat attributes A GU, 

— A < IV for all list-valued attributes N G AfA, 

— L(N \ , . . . , N k ) < L(M \ , . . . , M k ) whenever Ni < Mi for alii = 1, . . . , k, 

— L[N ] < L[M] whenever N < Ad. 

For N, M G AfA we say that M is a subattribute of N if and only if M < N 
holds. We write M N if and only if M is not a subattribute of N. □ 
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The subattribute relation < on nested attributes is reflexive, anti-symmetric 
and transitive. 

Lemma 2.1. The subattribute relation is a partial order on nested attributes. 

□ 

Informally, AI < N for N, AI £ AfA if and only if AI comprises at most 
as much information as N does. The informal description of the subattribute 
relation is formally documented by the existence of a projection function : 
Dom(N) — > Dom(AI) in case M < N holds. 

Definition 2.5. Let N,M £ AfA with M < N. The projection function : 
DomfN ) — >■ Dom(AI) is defined as follows: 

— if TV = M , then 7rj^ = *d_Dom( n) is the identity on dom(N), 

— if AI = A, then n ^ : Dom(N) {o/c} is the constant function that maps 
every v £ Dom(N) to ok, 

— if N = L(Ni, ... , N k ) and AI = L{Mi, ... , M k ), then x • • • x 7 

which maps every tuple (ui, . . . , v k ) £ Dom(N) to (fi), . . . , (v k )) £ 

Dom(AI), and 

— if N = L[N'] and M = L[M'], then : Dom{N) Dom(AI) maps every 

list [v\, ... ,v n ] £ Dom(N) to the list . . . ,n^,{v n )\ £ Dom(AI). 

□ 

Let X,y be two sets of nested attributes. X is called a generalised subset of 
y, denoted by X C gen y if and only if for every X £ X there is some Y £y 
with X < Y . Note that C gen is a pre-order on sets of nested attributes. 



2.3 The Brouwerian Algebra of Subattributes 

Fix a set U of attribute names, and a set C of labels. 

Definition 2.6. Let N £ AfA be a nested attribute. The set Sub(N) of subat- 
tributes of N is Sub(N) = {AI \ AI < N}. The bottom element An of Sub(N) 
is given by An = L(An 1 , ■ ■ ■ , A N k ) whenever N = L(iV 1 , . . . , N k ), and An = A 
whenever N is not a tuple-valued attribute. □ 

We study the algebraic structure of Sub(N). A Brouwerian Algebra [29] is 
a lattice (L, C, U, n, — , 1) with top element 1 and a binary operation — which 
satisfies a— b C c iff a C bU c for all c £ L. In this case, the operation — is called 
the pseudo-difference. The Brouwerian complement ->a of a £ L is then defined 
by -i a = 1— a. A Brouwerian Algebra is also called a co-Heyting Algebra or a 
dual Heyting Algebra. The system of all closed subsets of a topological space 
is a well-known Brouwerian Algebra. It is obvious that ( Sub(N ), <, A n, N) is a 
partially ordered set with bottom element An and top element N. 

Definition 2.7. Let N £ AfA and Y, Z £ Sub(N). The join Y U^v Z, meet 
Y n w Z and pseudo difference Y—nZ of Y and Z in Sub(N) are inductively 
defined as follows: 
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- Y Ujv Z = Z iff Y < Z iff Y n^v Z = Y and Z^ N X N = Z, and Z < Y iff 
Z~nY = X N , 

- if N = L[M], Y = L[A], Z = L[B], then Y o N Z = L[Ao M B] force {u,n} 
and if Z Y, then Z—jyY = L[B—mA]. 

-if N = L(N lt . . . , N n ),Y = L(A\, . . . ,A n ) and Z = L(Bi, . . . ,B n ), then 
Y o N Z = L(Ax o Nl Bi,... ,A n ojv n B n ) for o e {U, n, -}. □ 

In order to simplify notation, occurences of A in a tuple- valued attribute 
are usually omitted if this does not cause any ambiguities. That is, the sub- 
attribute ,Mk) < L(Ni,... ,Nk) is abbreviated by ,M i( ) 

where {M ix , . . . , M, : , } = {Mj : Mj ^ Ajv 3 - and 1 < j < k} and i\ < ■ ■ ■ < ii- If 
Mj = Ajv 3 for all j = 1, ... , k, then we use A instead of L(Mi, . . . , Mfc). The 
subattribute Li(A, X, L 2 [L 3 (X, X)]) of Li(A, B , L 2 [L 3 (C, D)]) is abbreviated by 
Li(A, L 2 [X\). However, the subattribute L(A,X) of L{A,A) cannot be abbrevi- 
ated by L(A) since this may also refer to L{ A, A). 

If the context allows, we omit the index N from the operations Ujv,n,/v, — n 
and from Xn- The Brouwerian Algebra for J[K(A 1 L[M(B, (7)])] is illustrated in 
Figure 1. 




Fig. 1 . The Brouwerian Algebra of J[K(A, L[M(B,C)])] 



Given some nested attribute N £ A f A and Y, Z € Sub(N), we use Yfc = N—Y 
to denote the Brouwerian complement of Y in Sub(N). Again, we omit the 
subscript N if the context allows. The pseudo difference Z—Y of Z and Y in 
Sub(N) satisfies 



Z^Y < X if and only if Z <YUX 

for all X £ Sub(N). Consequently, for all X £ Sub(N) holds Y c < X if and 
only if X U Y = N holds. 




140 



S. Hartmann, S. Link, and K.-D. Schewe 



The following result is straightforward to see: Sub( A) is isomorphic to the 
Boolean Algebra of order 0, Sub(A), A a flat attribute, isomorphic to the Boolean 
Algebra of order 1. Sub(L(P)) is isomorphic to Sub(P), Sub(L(Pi , . . . , P n )) iso- 
morphic to the direct product of Sub(P±), . . . ,Sub(P n ), and Sub(L[P]) is iso- 
morphic to Sub(P) augmented by a new minimum. It is an easy exercise to show 
that the set of all (finite) Brouwerian Algebras is closed with respect to both 
operations (add a new minimum, direct product). The following theorem gen- 
eralises the fact that ( V{R ), C, u, fl, — , 0, R) is a Boolean Algebra for a relation 
schema R in the RDM. 

Theorem 2.1. (Sub(N), <, Ujv, rijv, — jv, AT) forms a Brouwerian Algebra for 
every N £ A f A. □ 

Note that (Sub(N), <, U, n, (-) c , A, N) is in general not boolean. Take for 
instance N = L[A] and Y = L[ A]. Then Y c = N and Y n Y c = f / A. 
Furthermore, Y cc = A Y. Moreover, every Brouwerian Algebra is distributive. 

3 Functional Dependencies 

We define functional dependencies, introduce a generalisation of the Armstrong 
Axioms and prove that these rules are sound and complete for the implication 
of functional dependencies. 

Definition 3.1. Let N £ AfA be a nested attribute. A functional dependency 
on N is an expression of the form X — > Y where X, Y £ Sub(N). A finite set 
r C Dom(N) satisfies a functional dependency X — > Y on N if and only if 
7Ty(t i) = 7Ty (f 2 ) holds whenever 7r^(ti) = 7T^(f 2 ) for any ti,i 2 £ r holds. □ 

Example 3.1. Consider Pubcrawl(Person, Visit [Drink(Beer, Pub)]) and let r be 

{ (Sven, [(Liibzer, Deanos), (Kindi, Highflyers)]), 

(Sven, [(Kindi, Deanos), (Liibzer, Highflyers)]), 

(Klaus-Dieter, [(Guiness, Irish Pub), (Speights, 3Bar),(Guiness, Irish Pub)]), 
(Klaus-Dieter, [(Kolsch, Irish Pub), (Bonnsch, 3Bar), (Guiness, Irish Pub)]), 
(Sebastian, []) } . 

It is then obvious that f= r Pubcrawl(Person) — > Pubcrawl(Visit[Drink(Pub)]) 
holds. □ 

The notions of implication (|=) and clerivability (Pm) with respect to a set 91 
of inference rules for a class C of dependencies can be defined analogously to the 
notions in the RDM (see for instance [2, pp. 164-168]). In this paper, implication 
refers to finite implication only. Let A be a set of dependencies from C on some 
nested attribute N. We are interested in the set of all dependencies in C implied 
by A, i.e., A^ = {</? £ C | A |= <p\. Our aim is finding sets 91 of inference rules 
which are sound (A^“ C A£) and complete (A£ C A^f) for the implication of 
dependencies in the class C, and where A^" = {ip £ C \ A ip}. We will first 
consider the class C of functional dependencies. 
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Definition 3.2. The generalised Armstrong Axioms for functional dependencies 
on a nested attribute N are 

X^Y A- -> Y, V -> X 

X ->Y - ’ I->IU n Y' X Z 

These rules are called the reflexivity axiom, the extension rule and the transitivity 
rule. □ 



Example 3.2. In order to sketch how these rules work we prove the soundness of 
the join rule 



X -> Y, X ^ Z 
X —> Y U Z 



using the following derivation tree 



X U Y ->■ X X -> Z 
X U Y -> Z 

X -»• 1" X U Y -a X UYu~Z X U Y U Z -a Y U Z 
X ->• X U Y A'UFo Y U Z 

X -a YuZ 



□ 



Proposition 3.1. The generalised Armstrong Axioms are sound. 

Proof (Sketch). It is not hard to see the soundness of the reflexivity and tran- 
sitivity rule. 

For the soundness of the extension rule assume X, Y £ Sub(N) and let r C 
Dom(N) with \= r X — > Y. Let fi,f 2 £ r with 7T^(fi) = 7r^(t 2 ). Since (= r X — > Y 
we also know that ny (t\) = 7Ty (f 2 ). We show by induction that also Tyuf(^i) = 
Tyu yfe) holds. If X < Y, then n^ UY (ti) = 7iv(£i) = n Y (t 2 ) = Tyu vfe) 
and similar in the case when Y < X holds. Let N = L(Ni,... ,N n ),X = 
L(A 1 ,... ,A n ) and Y = L(Bi,... ,B n ). Since fi,f 2 £ Dom(N) it follows that 

t\ = (/| , t") and t 2 = (f 2) , tVf) with t\,t\ £ Dom(Nf) for * = 1, ... , n. 

From nx(ti) = 7r^(f 2 ) and 7Ty(fi) = 7Ty(f 2 ) follow n A *(t\) = and 

71 -g* (t\) = TTg* (f 2 ) for * = 1, . . . , n. We conclude by hypothesis that Tr A * UB . (f j) = 
TT^ug. (f 2 ) holds for i = 1, . . . , n. Then we have 

1r Xuy(^) = ( 7r A^UB 1 (4)j • ■ • 1 7r A^uB n (^l )) 

= (A AiUBx (^ 2 ) ? • • ■ ) 7 bCu.B n (^2)) 

Let N = L[A],X = L[B] and Y = L[0}. Since fi,f 2 £ Dom(N) it follows 
that ti = [di, . . . , Ofc] and f 2 = [a^, . . . , aj] with a*, a' £ Dom(A) for * = 1, . . . , k 
and j = 1 ,... ,1. From 7Ty(fi) = 7r^(f 2 ) and 7Ty(fi) = 7Ty(t 2 ) follow k = l 
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and 7Ts(a,:) = (a') and 7 Tp(a,;) = 7Tp(a') for i = 1, . . . , k. We conclude by 

hypothesis that also 7r£ UC (aj) = 7Tg uC .(a') hold for i = 1, . . . , k. Then we have 

= ksiUCi («!))•• • > 7 r B*uc fc ( a fc)] 

= E 7 r B 1 UCi( a, l)’ • • • ’ 7 r SfcUCfc( a fc)] 

= ,r xurfe)- 

This concludes the proof for the soundness of the extension rule. □ 

Definition 3.3. Let N £ A/" A. The subattribute basis of N is the smallest set 
SubB(N) C Sub(N) such that for all X £ Sub(N) we have X = UZ for some 
Z C SubB(N). Every X £ SubB(N) is called a basis attribute for N. A basis 
attribute X £ SiibB(N) is called maximal if and only if X < Y for some basis 
attribute Y £ SubB(N) implies that X = Y holds. Basis attributes that are 
not maximal are called non-maximal. The maximal basis attributes of N are 
denoted by MaxB(N). □ 

It is immediate that A ^ SubB(N) since A = U0. Furthermore, SubB(N) is not 
an anti-chain with respect to <. It is true that X = X cc U ( X n X c ) holds in 
every Brouwerian Algebra. Consider now a basis attribute Y £ SiibB(N). If Y is 
maximal, then Y F\Y C = A and Y = Y cc . If Y is non-maximal then Y cc = A and 
Y = Y n Y c . Therefore, a basis attribute Y is maximal if and only if Y = Y cc 
holds, and non-maximal if and only if Y = Y n Y c holds. 

Example 3.3. Let N = Li(A, L 2 [L 3 (B, L 4 [C])]). The subattribute basis is then 

{Li(A), Li(L 2 [A]), Li (1/2 [L 3 (L 4 [A])]), Li(L 2 [L 3 (B)]), L\(L 2 [L 3 (L 4 [C])])}. 

The maximal basis attributes are Li(A), Li(L 2 [L 3 (£?)]) and Li(L 2 [L 3 (L 4 [C])]). 
The non-maximal basis attributes are L 1 (L 2 [ A]) and L 1 (L 2 [L 3 (L 4 [ A])]). □ 

Lemma 3.1. Let N £ A f A. There are t\,t 2 £ Dom(N) such that 
(^ 2 ) on all A ^ X < N holds. 

Proof. We prove this lemma by induction on N. For N = A there is nothing 
to show. If TV = A is a flat attribute, then the only A^X<N is X = 
A. In this case, t\ = a and t 2 = a' with a, a' £ Dom(A) and a ^ a! are 
chosen. If N = L(N\, . . . ,Nk ), then there are t\,t 2 £ Dom{Nf) with 7r M.(t\) ^ 
77 Mi (^ 2 ) on ^ 7 ^ Afj < Ni for alii = 1, , . . , k. Define t\ = (t\, . . . = 

{t \, ... , t\) £ DomfN). For A ^ X < N we have X = L(M 4 , . . . , Mff) with Mj ^ 
A for some i £ {1, . . . , k}. This implies that 7 t^(£i) = , . . . , 7r ^(£ 4 )) ^ 

( 7r Mi(* 2 )) • ■ • ? 77 m? (^ 2 )) = n x(^)- It remains to consider the case where N = 
L[N']. In this case we define t 4 = [ ],t 2 = [n'\ £ DomfN) with n' £ Dom(N'). 
For A X < N follows X = L[M] with M < N' and 7T^(ti) = [] ^ [ 7 (n')\ = 
7 T x{t 2 )- This concludes the proof. □ 

Lemma 3.2. Let N £ Af A. For all X £ Sub(N) there are ti,t 2 £ Dom(N) 
such that TTy(ti) = 7 Ty(t 2 ) holds if and only ifY < X. 
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Proof. If X = A, then we apply Lemma 3.1. We assume that X ^ X from 
now on and proceed by induction on N. If N = A is a flat attribute, then 
X = A and we define t\ = a = t 2 with some a £ DomfA). Consider the 
case where N = L(Ai , . . . , A n ) and let X = L(B i, . . . , B n ) with Bi < A,; for 
i = 1,. . . ,n. For i = 1, . . . ,n there are t\,t 2 G DomfAf) with 7 r^(^i) = 7r c’(^ 2 ) 
if and only if C,; < B, holds, by hypothesis. We define C = {t\, . . . ,i”) and 
t '2 = (t 2 , . . . , t 2 ) with t\,t 2 £ Dom(N). It follows that Y < X if and only if 

Y = L{C \ , . . . , C n ) with Ci < Bi for * = 1, . . . , n if and only if 7 = 7r^‘ (t 2 ) 

for i = 1, . . . ,n if and only if TVy(t\) = 'Ky(t 2 ). It remains to consider the 
case where N = L[A\. Consequently, X = L[B\ with B < C. Then there are 
some t\ . t' 2 £ Dom(A) such that TT^(t\) = if and only if C < B by 

hypothesis. Defining t\ = [t\ } . t 2 = [t 2 \ £ Dom(N) we infer that A j^Y < X if 
and only if Y = L[C } with C < B if and only if j = TT^(t' 2 ) if and only if 

= \ n c(t 2 )] ^ and only if 7 Ty(ti) = n y(t 2 ). The case Y = A is trivial. □ 

The following result shows that FDs can be easily captured by a natural 
generalisation of Armstrong’s well-known axioms, if only base, record and finite 
list types are present. In the presence of finite set types, however, extension and 
join rule are only valid in a restricted form. This results in a more sophisticated 
set of inference rules (see [26] for details). 

Theorem 3.1. The generalised Armstrong Axioms are sound and complete for 
the implication of functional dependencies defined on some nested attribute N. 

Proof. It remains to show the completeness, i.e., X* C E + . Let X — > Y ^ S + . 
We will show that X — > Y ^ X* by defining some r C Dom(N) with \= r X* 
and y= r X — > Y. Let A+ = U {Z \ X Z £ X+}. It follows that Y ^ X+. 
Otherwise we had X + 4ft X + by the reflexivity axiom, X -4 X + £ X + by 
the join rule and also I-)7e X + by the transitivity rule. Using Lemma 3.2 
we define r = {ti, < 2 } C Dom(N) by 

^f(U) =7rf(t 2 ) iff . (1) 

Since X < X + and Y ^ X + we have 7ry(ii) = ^(< 2 ), but 7r y{t\ ) ^ 7r y{t 2 ). 
This shows that \f= r X — > Y. Let U — > V £ X. If U ^ X + , then (ti) ^ 
7r^(t 2 ) by equation (1), and | = r U — > V. If U < X + , then n$(ti) = n^(t 2 ) 
by equation (1). It follows that X + -4 U £ X + by the reflexivity axiom. From 
X -4 X + ,X + — > U, U — > V £ X + follows X — > V £ X + which means that 

V < X + by definition of X + . Again, equation (1) implies that 7 Ty(ti) = ny{t 2 ) 

holds. This shows f= r U — > V. From f= r X follows immediately \= r X* which 
completes the proof. □ 

4 Adding Multi-valued Dependencies 

Multi-valued dependencies have been introduced in [21] and axiomatised in [9]. In 
this section, we will introduce multi-valued dependencies in the presence of base, 
record and finite list types. We will show that important properties of MVDs 
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from the RDM carry over. It is in particular possible to extend the generalised 
Armstrong Axioms to obtain a finite axiomatisation for the class C of FDs and 
MVDs in the presence of base, record and finite list types. This axiomatisation 
is a natural extension of the axiomatisation in the relational case (compare for 
instance to [34, pp. 80,81]). A fundamental difference will be the fact that the 
non-trivial FD X — > Y n Y c is implied by the MVD X -» Y . An axiomatisation of 
MVDs in the context of any advanced data models has nowhere in the literature 
been provided before. 



4.1 Definition and First Results 

Definition 4.1. Let N £ AT A be a nested attribute. A multi-valued dependency 
on N is an expression of the form X -» Y where X, Y £ Sub(N). A finite set 
r C Dom(N) satisfies a multi-valued dependency X -» Y on IV if and only 
if for all values t\,t 2 £ r with TT^iti) = 7r x(t 2 ) there is a value t £ r with 
Kxu yW = AyuyOi) and ^xuyc (*) = 7T xuyc (*2)- □ 

Example fil. Consider Pubcrawl(Person,Visit[Drink(Beer, Pub)]) from Example 

3.1 again. Extend r to be 

{ (Sven, [(Liibzer, Deanos), (Kindi, Highflyers)]), 

(Sven, [(Kindi, Deanos), (Liibzer, Highflyers)]), 

(Klaus-Dieter, [(Guiness, Irish Pub), (Speights, 3Bar),(Guiness, Irish Pub)]), 
(Klaus-Dieter, [(Kolsch, Irish Pub), (Bonnsclr, 3Bar), (Guiness, Irish Pub)]), 
(Klaus-Dieter, [(Guiness, Highflyers), (Speights, Deanos), (Guiness, 3Bar)]), 
(Klaus-Dieter, [(Kolsch, Highflyers), (Bonnsch, Deanos), (Guiness, 3Bar)]), 
(Sebastian, []) } 

Obviously, Pubcrawl(Person) — > Pubcrawl(Visit[Drink(Pub)]) is not satisfied 
by r, and neither is Pubcrawl(Person) — > Pubcrawl(Visit[Drink(Beer)]). How- 
ever, |= r Pubcrawl(Person) -» Pubcrawl(Visit[Drink(Pub)]). This MVD infor- 
mally says that a person has prefered lists of pubs, e.g. according to the weekday, 
and prefered lists of beers, e.g. according to the mood that person is in. Since 
a weekday is independent from the mood of a person, all possible combinations 
of these lists can occur. Note that |= r Pubcrawl(Person) — > Pubcrawl(Visit[A]) 
holds. This means informally that the person determines the number of bars 
visited by that person. □ 

A dependency a on some nested attribute N is called trivial if and only if 
|= r er for every r £ Dom(N). The following result characterises trivial MVDs. 

Lemma 4.1. Let N £ A f A and X -» Y a multi-valued dependency on N. Then 
is X -» Y trivial if and only ifY < X or X U Y = N. 

Proof. We show first that X -» Y is trivial, if Y < X or X U Y = N. Let 
r C Dom(N) and ti,t 2 £ r with 7T^(ti) = If there is some t £ r with 

Ayu yW = ttxuy(*i) and yc W = tt.yu ycfe), then \= r X -» Y. If Y < X, 
then take t = t 2 - If X U Y = N, or equivalently Y c < X, then take t = t\. 
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Let now be Y ^ X and X UY ^ TV, i.e. , Y c ^ X. We show that there is 
some r C Dom(N) with X -» Y . Define r = {ti,t 2 } by 

n z (ti) = 7T z ( t 2 ) iff z < x 

using Lemma 3.2. Now \= r X -» Y, if there is some t £ r with 7r^ uy (t) = 
TT^ uY (h) and 7 Tyuy c (^) = 7r xur c (^ 2 )’ ff i = ii> then the second condition is 
violated since Y c X. If t = t 2 , then the first condition is violated since 
Y £X. Hence, \/L r X -» Y. □ 

Fagin proves in [21] that MVDs “provide a necessary and sufficient condition 
for a relation to be decomposable into two of its projections without loss of 
information (in the sense that the original relation is guaranteed to be the join 
of the two projections).” 

Definition 4.2. Let N £ AfA and X, Y £ Sub(N). Let ry C DomfX) and 
r 2 C Dom(Y). Then 



r*i ixi r 2 = {t £ Dom(X U Y) | there are t\ £r\,t 2 £ r 2 with 
7 Ty U 1 (i) = t\ and 7r y uy (f) = t 2 }. 

is called the generalised join r\ cxi r 2 of r i and r 2 . □ 

We will now prove that MVDs still have the same property in the presence 
of base, record and finite list types. The projection 7ix (r) of r C Dom(N) on 
X < N is defined as | t £ r}. In this sense, r C Dom(N) satisfies the 

MVD X -» Y exactly when r is the lossless generalised join of its projections on 
X UY and X U Y c , i.e., r = t^xuy{t) cxi 7TY:ur c ( r )- 

Theorem 4.1. Let N £ A f A, r C Dom(N) and X -» Y a multi-valued de- 
pendency on N. Then is X -» Y satisfied by r if and only if r = ttxuy(i") cxi 
nxu yc(r). 

Proof. Let ri = kxuy (r) and r 2 = 7r yuy c ( 7* ) . Note that r C n cxi r 2 is always 
satisfied. 

First, let |= r X -» Y . We show that ri cxi r 2 C r. Let t £ 7*1 cxi r 2 . Then there 
are t\ £ r\ and t 2 £ r 2 with 

n X\‘ ; ) — 7r X Vl) — n X V"2 )i 7T Y\t) — n Y Vl ), n Y c V : ) — ^Y c V'2)- 

Since t\ £ n, there is some t\ £ r with t^xuy^'i) = t\. Correspondingly, since 
t 2 £ r 2 , there is some t 2 £ r with 'Xxuy c ^) = * 2 - From 7 r^(t , 1 ) = ^(t^) and 
(= r X -» Y follows the existence of some t 3 £ r with 7r^ uy (f 3 ) = 7r^ uy (t , i) = t\ 
and 7r^ uyC (t 3 ) = ^xuy c ^' 2 ) = t 2 . It follows that t = f 3 £ r and, therefore, 
7*1 cxi r 2 C r. 

Let now r = 7*1 cxi 7*2 and t\,t 2 £ r with 7r y (fi) = ftxfa)- Let t[ £ r*i with 
t[ = 7r yu y(ti) and t’ 2 £ r 2 with t 2 = 7r yuyC (t2)- Since ri cxi ?*2 C r, there is 
some t £ r with 7r^ uy (i) = t[ and 7r^ uyC (t) = t 2 . This shows | = r X Y. □ 
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4.2 Sound Inference Rules 

A sound and complete set of inference rules for FDs and MVDs has been provided 
in [9]. We will show in this section that natural extensions of the (sound and 
complete) rules from [34, p.80,81] are also sound in the presence of base, record 
and finite list types. Apart from these rules there is a further sound rule which 
allows to derive a non-trivial FD X — > Y n Y c from an MVD X -» Y. 

Proposition 4.1. The following inference rules 



(reflexivity axiom) 
X^Y, Y -> Z 
X -t Z 

(transitivity rule) 

X -»Y 
X -» Y c 

(Brouwerian- complement rule) 
X -» Y Y -» Z 

X -» (Z—Y) 
(pseudo-transitivity rule) 

X -» Y X -» Z 

X -» (Y U Z) 
(multi-valued join rule) 

X -» Y 

X Y n Y c 
(mixed meet rule) 



X Y 

I->1U Y 
(extension rule) 

X -> Y 

X -» Y 

(implication rule) 

X -»Y 

v<w 

WuX ^VuY - 
(multi-valued augmentation rule) 

X -» Y Y Z 

X (Z^Y) 

(mixed pseudo-transitivity rule) 

x -» y a -» z 

X -» (Z—Y) 
(pseudo-difference rule) 

X -» Y X -» Z 

i -» (y n z) 

(multi-valued meet rule) 



are sound for the implication of functional and multi-valued dependencies. 

Proof (Sketch). The soundness proofs are lengthy, but can be carried over from 
the RDM using the algebraic framework of a Brouwerian Algebra. We will prove 
the soundness of the mixed meet rule. 

Let tiff 2 € r with 7r y (fi) = 7Ty(t 2 )- Applying the premise gives us some 
t&r with 7 T% UY (t) = 7r^ uy (fi) and 7r^ uyC (t) = n% UY c(t 2 ). As YnY c < Y,Y C 
holds by definition of the meet we derive 

7 r ynF c (^i) = n Yr\Y c (t) ~ 

which proves \= r X — > Y n Y c . □ 

It is easy to see that all rules from Propostion 4.1 except the mixed meet rule 
are natural extensions of rules in the RDM (compare [34, p. 80,81]). Interpreting 
the mixed meet rule in relational databases means that the trivial FD X — > 0 
can be derived from the MVD X -» Y, and is therefore not needed. 

In what follows, it is important to emphasize the importance of the mixed 
meet rule. It says informally that \= r X -» Y implies that two elements of r 
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which are coincident on X will also coincide on all basis attributes in SubB(Y ) 
which are not maximal basis attributes of N on which the MVD is defined. 

Example 4-2. Consider again Example 4.1. The r given there satisfies the MVD 

Pubcrawl(Person) -» Pubcrawl(Visit[Drink(Pub)]). 

According to the mixed meet rule this implies also that r satisfies the FD 

Pubcrawl(Person) — > Pubcrawl(Visit[Drink(Pub)])n 
Pubcrawl(Visit[Drink(Beer)]) 

which is Pubcrawl(Person) — > Pubcrawl(Visit[A]). □ 



4.3 Dependency Basis 

Consider the set of all Y with X -» Y £ E + for a fixed X defined on some nested 
attribute N. According to the multi-valued join, multi-valued meet and pseudo- 
difference rule this set, partially ordered by <, forms a Brouwerian Algebra. Due 
to the mixed meet rule, all basis attributes of Y which are not maximal in N are 
already functionally determined by X. Attributes Y cc ^ A with X -» Y £ E + 
which are <-minimal with this property are therefore of great interest. 

Definition 4.3. Let N £ A FA, X £ Sub(N) and E a set of multi-valued and 
functional dependencies on N. Let Dep(X) be the set of all Y £ Sub(N) with 
X -» Y £ A7+ and A+ = U{F | A Y £ E+}. Let X M C Sub(N) have the 
following properties: 

1. for all U £ MaxB(N) there is a unique V £ X M with U < V, 

2. for all U £ X M there is some W C MaxB(N) with U = U W, 

3. for all V £ Dep(X ) there is some Z C X M with V cc = U Z, and 

4. X M is maximal with these properties with respect to C gen . 

The dependency basis of X with respect to E is DepB(X) = SubB{X + ) U X M . 

□ 

Note that {MaxB(W) \ W £ X M } is the partition of MaxB(N) which is 
generated by {MaxB(Y cc ) \ Y £ Dep(X)}. The first property says that every 
maximal basis attribute of N is the subattribute of exactly one element in X M . 
The second property guarantees that every element in X M is the join of maximal 
basis attributes of N. If X -» V £ E + holds, then the join of all basis attributes 
in V which are maximal in N (, i.e. V cc , ) is the join over elements of X M by the 
third property. The last property guarantees the uniqueness of the dependency 
basis and that X -» W £ E + holds for all W £ X M . 

Lemma 4.2. Let N £ AfA, E a set of functional and multi-valued dependencies 
on N , X < N and DepB(X) = SubB(X + ) U X M the dependency basis of X 
with respect to E. If W £ X M , then W £ Dep(X). 
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Proof (Sketch). Let IT £ X M and assume IT ^ Dep(X). Let IT be the <- 

cc 

smallest superattribute of IT with IT £ Dep(X). We can assume that If = If 

holds due to the Brouwerian-complement rule. According to Definition 4.3 we 
have IF = If U W\ U • • • U W„ with If, W\, . . . , W n £ X M and n > 1. It can 
then be shown that X N = X M \{ If, Wi, . . . , W n j U {If} satisfies the first three 
properties of Definition 4.3. This contradicts the maximality of X M with respect 
to C gen and IF £ Dep(X) follows. □ 

We can now show that an MVD X -» Y is derivable from £ if and only if 
the right-hand side Y is the join over some elements of the dependency basis of 
X with respect to £. 

Proposition 4.2. Let N £ JV A and £ as set of functional and multi-valued 
dependencies on N. Then 

1. X -» Y £ £ + if and only ifY= U Z for some Z C DepB(X) 

2. X -> y ££+ if and only ifY < X+ . 

Proof. The second property is obvious. Let Y £ Dep(X). Recall that Y = 
Y CC U (Y n Y c ) holds. From Y £ Dep(X) follows Y cc = UZi for some Z\ C X M 
by Definition 4.3, and X — > Y n Y c £ £ + by the mixed meet rule. It follows 
that Y n Y c < X + and, therefore, Y n Y c = UZ 2 for some Z 2 C SubB{X + ). 
Hence, Y = U Z for some Z C DepB(X). 

Assume now that Y = UZ holds for some Z C DepB(X). Then Z = Z\ U Z 2 
with Z\ C SubB{X + ) and Z 2 C X M . It follows that UZ\ = Yi < X + , and 
the reflexivity rule, join rule and transitivity rule imply X — > Yi £ £ + . The 
implication rule gives X -» Yi £ £ + . Furthermore, if Z-i = {Vj , . . . , V m } C X M , 
then X — » Vi £ £ + for 1 < i < m by Lemma 4.2. Applying the multi-valued 
join rule gives X -» Y £ £ + . □ 

4.4 Completeness 

Proving the completeness result for functional and multi-valued dependencies 
will involve the definition of some instance which satisfies all dependencies in 
£. This instance will initially contain two elements H,t 2 which are coincident 
on exactly all attributes which are functionally determind by some fixed X. Af- 
terwards new elements are generated and added to the instance by exhaustively 
combining values from t\ on some W C X M and the values from t .2 on X M \W. 
Let W, W' £ X M . Since the meet W n W' is not necessarily equal to A one needs 
to show that such a construction is possible in general. It will turn out that 
SubB(W n W') contains only attributes already functionally determined by X. 

Definition 4.4. Let N £ A/" A, X' C MaxB(N) and X = UA'. A basis at- 
tribute Y £ SubB(X) is possessed by X if and only if every basis attribute 
Z £ SubB(N) with Y < Z is also a subattribute of X (Z < X). □ 

It follows that SubB{W n W') with IT, W £ X M contains only basis at- 
tributes of IT or IT' which are neither possessed by IT nor by IT'. 
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K[L(M[N(A)]) K[L(M[N(B)]) K[L(C)] 



K[L(M[i] 




Fig. 2. The subattribute basis of K[L(Af[N(A,B)],C)} 



Example 4-3. Let K[L(M[N(A, B)],C)] G J\T A, and X = K[L(M[N(A, B)])]. 
Then X does possess K[L(M[\])], but does not possess AT [A], For an illustration 
see also Figure 2. □ 

A basis attribute is not possessed by some X exactly if it is also a basis 
attribute of X c . According to the mixed meet rule it follows that basis attributes 
which are not possessed by some element in X M are functionally determined by 
X. 

Lemma 4.3. Let N G A f A, X' C MaxB(N), X = UX' and Y G SubB(X). 
Then is Y possessed by X if and only ifY ^ SubB(X c ) . □ 

Corollary 4.1. Let N G AfA, X < N, E a set of functional and multi-valued 
dependencies on N , and DepB(X) = SubB(X + ) UX M . Then for every W G X M 
and every Y G SubB[W) that is not possessed by W follows that Y < X + . 

Proof. Since Y is not possessed by W, Y G SubB(W c ) by Lemma 4.3 and 
therefore Y < W n W c . Lemma 4.2 implies that X -» W G E + holds, and 
using the mixed meet rule we infer X — > W n W c . The reflexivity rule implies 
W n W c — > Y G E + from Y < W n W c . The statement X — > Y G E + follows 
now from the transitivity rule. □ 

Suppose DepB(X) = SubB{X + ) U {IF 0 ,i , . . . , W 0)m , W \, . . . , Wk} with W'o.-i < 
X + for i = 1 , . . . ,m and W [ , . . . , Wk ^ X + . We have seen that SubB ( W. t n Wj ) , 
i ^ j, contains only basis attributes of W t or Wj neither possessed by W, nor 
by Wj. It follows that X — > Wi n Wj holds. 

Assume now that there are two elements t\ . t -2 G DomfN) which coincide on 
at least all subattributes of X + . It is then easy to see that one can substitute the 
values of t± on all subattributes of some given W t G X M for the corresponding 
values of t 2 and end up with an element in Dom(N). 

Lemma 4.4. Let N G AfA, E a set of functional and multi-valued de- 
pendencies on N and X < N. Let DepB(X) = SubB(X + ) U X M with 
X M = {W 0) i, . . . ,Wo, m ,Wu... ,W k } and W 0 y < X+ for 1 < i < m and 
l l"i , . . . , Wk ^ X + . Let t\,t 2 G DomfN) with 7T^(fi) = if W < X + . 

Then for all W = UW' with W' C {W \, . . . , Wk} there is some t G Dom(N) 
with 7 T%r(t) = t T^(tx) and 7 r^ c (t) = 7r ^ c (t 2 ). □ 

Corollary 4.1 shows that every basis attribute which is not possessed by any 
Wi G X M is functionally determined by X, i.e., elements in Dom(N) with the 
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same value on X will also coincide on all basis attributes which are not possessed 
by any Wj £ X M . The statement from Lemma 4.4 is therefore equivalent to the 
fact that there is some t £ Dom(N) with 

N ,s _ ( 7^4 (fi) , if A is possessed by some Wi £ W' 

^ ~~ \^a (* 2 ) , else 

Theorem 4.2. The set of rules from Proposition f.l is sound and complete 
for the implication of functional and multi-valued dependencies on some nested 
attribute N. 

Proof. Due to Proposition 4.1, it remains to show the completeness, i.e., X* C 
X+. Let X £ Sub(N). Let DepB(X) = SubB(X+) UX M with X M = {W 0 , 1 , . . . , 
W 0 , m , W u . . . , W k } and W 0<i < X+ for * = 1, . . . , m and W u . . . , W k £ X+. 
Take t\,ti £ Dom(N) defined by 

TT^(tl) = 7T^(t 2 ) iff IT < X+. 

Recall that such t-\ . t -2 exist according to Lemma 3.2. Define an instance r C 
Dom(N) with t\ . t '2 £ r and add for every IT = L I IT' with IT' C {W \, . . . , IT*,} 
the t £ Dom(N) with n w(t) = Tr^(ti) and 7r^) c (t) = from Lemma 4.4 

to r. Obviously, r has exactly 2 fc elements, and if 7r^ (U) y^ tt ^(ty), then also 
7r^y(tj) y^ 7 on ad IT < IT; which are possessed by Wi. 

We will show that f = r X. Then, for X — > Y £ X* we have \= r X — > Y. Since 
all elements of r coincide on X + , r can only satisfy X — > Y if all elements of 
r also coincide on Y . It follows by construction of r that Y < X + . Proposition 
4.2 implies X — > Y £ X + . For X -» Y £ X* we have \= r X -» Y. Again 
by construction, r can only satisfy X -» Y if Y = X$ U IT, U • • • U IT m with 
Xq < X + and 1 < i\ < ■ ■ ■ < i m < k. Therefore, X -» Y £ X + by Proposition 
4.2. We now show that f= r X holds. 

1. Suppose U — > V £ X. Define 

W = U {Wi | 3U' .U' < U and U' is possessed by Wi}. 

It follows that U < X + U W since every subattribute of U that is possessed 
by some Wi is also a subattribute of W and every subattribute of U that is 
not possessed by any W- L is a subattribute of X + . The rcflcxivity rule implies 
X + U W — ^ U £ X + . Using the transitivity rule gives X + U W — > V £ X + . 
Take U,tj £ r with n^ftf) = TTjjftj). All elements of r are equal on X + . 
Assume 7 r^(tj) yf n Then there is some IT; with 7r {y ( ti ) yf 7 r$- (tj) and 
some subattribute U' <U which is possessed by IT;. Consequently, Tiff, (ti) y^ 
TT^f,(tj) and, therefore, 7T^ (tf) y^ 7 (tj) too, a contradiction. It follows that 
t = 7 holds and therefore n% +uw (ti) = Tr% +uw (tj) as welL 
Now, X + U IT is the join of elements in DepB(X), i.e., X -» X + U IT £ X + 
by Proposition 4.2. Hence, we infer X — > (V— (X + U IT)) £ X + by the 
mixed pseudo-transitivity rule. Proposition 4.2 implies T— (A + UIT) < X + , 
and therefore tt y_, (x+LW) (U) = tt v^x+uwfti)- Since V - ( X+ u W ) u 
(T^(A + U IT)) holds, we obtain 7 Tyitf) = 7r y{tj). This proves f= r U — > V. 
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2. Suppose U -» V G X. Define again 

W = U {Wi | 3U' .U' < U and U' is possessed by Wij. 

As before, U < X + U W holds. From U -» V G S and A < X + U W follows 
X + U W -» V G X + by the multi-valued augmentation rule. 

Take U,tj G r with 7 t^(U) = n Again, the construction of r implies 
7 r v+uff(^) = ^x+u w^j)- Since X -» X + U IP G X + holds by Proposition 
4.2, the pseudo-transitivity rule allows to derive X -» (V— (X + U W)) G 
£ + . Therefore, V— (X + U W) is the join of some elements in DepB(X) by 
Proposition 4.2. By construction of r there is some t G r with 

7 r x+uwu(y— ( x+lw))W = 7 r A'+utvu(y^(.Y+utv))^ i ) 

and 



^ x+uwu(v—{x+uw)) c ^ — 7 r A+utyu(y—(A'+utv)) c (^)- 

As U, V < X+ U W U (V^(X+ U W)) hold, we have UUV<X+UWU 
(V^(X + U IP)) and therefore TT^ uV (t) = n u uV (U)- Since 

(P-(A+ U W)) cc < V-(X+ U W) < V, 

it follows from the defining property of the Brouwerian-complement that 
V U (P— (A + U W)) c = N, and consequently V c < (V—(X + U W)) c . But 
then U UV C < X + U W U (P— (X + U W)) c and thus 7r y uV c (t) = ^uuv c (^)- 
This proves \= r U -» P. □ 

In summary, the construction is based on the relational theory for maximal 
basis attributes and the fact that non-maximal basis attributes not possessed by 
any W G X M are functionally determined by X. The rest follows by using the 
algebraic framework. 

5 Future Work 

An examination of the independence of the inference rules from Proposition 4.1 
was beyond the scope of this paper. In particular, the role of the Brouwerian- 
complement rule will be similar to the one of the complementation rule in re- 
lational databases [11,30]. Removing the Brouwerian-complement rule the com- 
pleteness proof of Theorem 4.2 does not apply. We are confident that the results 
from [12] can be carried over. Several lines of research might be followed. Next 
we would like to investigate the finite implication problem of FDs and MVDs 
extending the work in [6] to advanced data models. Normalisation and its se- 
mantic justification should be studied in the presence of FDs and MVDs leading 
to an extension of fourth normal form [21,42]. Other classes of relational depen- 
dencies (see [39] for an overview), such as join and inclusion dependencies, are 
to be generalised in the future. Finally, various combinations of different types 
including sets, multisets, unions and references are objects to future research. 
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Abstract. It is well known that the complexity of testing the correc- 
tness of an arbitrary update to a database view can be far greater than 
the complexity of testing a corresponding update to the main schema. 
However, views are generally managed according to some protocol which 
limits the admissible updates to a subset of all possible changes. The 
question thus arises as to whether there is a more tractable relationship 
between these two complexities in the presence of such a protocol. In this 
paper, this question is answered in the affirmative for closed update stra- 
tegies, which are based upon the constant-complement approach of Ban- 
cilhon and Spyratos. Working within a very general framework which is 
independent of any particular data model, but which recaptures relatio- 
nal schemata constrained by so-called equality-generating dependencies 
(EGDs), (which include functional dependencies (FDs)), it is shown that 
the complexity of testing the correctness of a view update which follows 
a closed update strategy is no greater than that of testing a correspon- 
ding update to the main schema. In particular, if the main schema is 
relational and constrained by FDs, then there exists a set of FDs on the 
view, against which any candidate update may be tested for correctness. 
This holds even though the entire view may not be finitely axiomatizable, 
much less constrained by FDs alone. 



1 Introduction 

In a seminal work [1], Bancilhon and Spyratos showed how well-behaved update 
strategies for database views can be modelled in a very general framework using 
the so-called constant complement strategy. In more recent work, [2], [3], it is 
shown that by augmenting this basic framework with natural order structure, 
true uniqueness for so-called order-based updates may be obtained, in the sense 
that there is but one way to represent an update to the view in terms of an 
update to the main schema, regardless of the choice of complement. ( Order- 
based updates are those which are realizable as a sequence of insertions and 
deletions.) 

In this paper, the work of [2] and [3] is continued with an initial investiga- 
tion of the complexity of determining whether a proposed view update is valid. 
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This is hardly an idle question. Indeed, the axiomatization of a view may be 
infinitely more complex than that of the base schema, even in very simple cases. 
For example, the relational schema E-| with the single relation name R[ABCD\ 
on four attributes and the constraining set of functional dependencies (FD s) 
T\ = {A — > D,B — > D,CD A }, the projection view IIabc is not finitely 

axiomatizable [4]. 

Even without any special data structures, testing whether a relation satisfies 
a set of FDs is possible in time 0(n 2 ), with n the number of tuples in the relation, 
since it suffices to check each pair of tuples for conflict. If it is known that M is 
already a legal state and t is a tuple to be inserted, then testing whether MU{t} 
satisfies the FDs may be performed in time 0{n). Under certain circumstances 
(e.g., with key dependencies), if the tuples are suitably indexed, these times 
may be reduced to 0(n) and 0(1), respectively. On the other hand, for the view 
IIabc identified above, neither test can be performed in worst-case 0(n k ) for 
any natural number k. Thus, the increase in complexity is indeed substantial, 
and certainly dashes any notion of tractability. 

However, all is not lost, for testing an arbitrary proposed update to a view 
for correctness is far more general a task than is testing a proposed update under 
a closed update strategy. To address the latter idea, a notion of relative comple- 
xity is introduced, which takes into account that partial information regarding 
constraint satisfaction is already known about the proposed new view state. 
To illustrate, let Eo be the relational schema with the five-attribute relation 
S[ABCDE], with constraints Ti = T\ U {A — > E}. The view to be updated is 
IIabc E i with the allowable updates those which hold the complementary view 
II ABC d constant. The updates which are allowed under the theory of closed 
update strategies are precisely those which hold the meet of these two views, 
IIabCi constant. Now IIabce is not finitely axiomatizable, for the same reason 
that the view IIabc of Ei is not. However, since IIabc is to be held constant 
under any update to IIabce , proposed updates need only be tested against the 
embedded FD A — > E; it is already known that the “ ABC” part of the proposed 
new database is legal. Thus, the relative complexity of testing a proposed update 
to IIabce is 0(n 2 ), the same as that for proposed updates to the main schema 
E 2 , even though the view IIabce itself is not finitely axiomatizable. This idea is 
developed more formally in Example 4.15. 

The main result of this paper is that this sort of result holds in a very 
general context; that is, if the complexity of testing the correctness of a potential 
database in the main schema is 0(n k ), then the relative complexity of testing 
the correctness of a potential database which is the result of a proposed update 
under a closed strategy is also 0{n k ). 

A secondary result is also provided. In [2, 4.2] [3, 4.3], it is shown that the 
reflection to the main schema of an update to a closed view is unique, provided 
that the update is realizable as a sequence of legal insertions and deletions. In 
this paper, it is shown that the intermediate states in fact need not be legal; 
that it is enough that the update be realizable as sequence of insertions and 
deletions, and that the initial and final states be legal. In other words, essentially 
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all updates under closed update strategies in an order-based framework reflect 
uniquely back to the main view. To illustrate, let E 3 be the schema consisting of 
the single relation R[ABC], constrained by = {B — >• A, B — » C}. The view 
to be updated is II ab, with 77 bc the complement to be held constant. The legal 
updates to 77 ab, none of which are insertions or deletions, are those which hold 
77s constant and which respect the FD B — > A; i.e., those which alter the A 
values of existing tuples. Thus, the results of [2] [3] do not apply. However, the 
extensions developed in Sect. 5 do, since the updates may be realized as sequences 
of insertions and deletions in which the intermediate states may violate the FD 
B — > A. A more detailed explanation is provided in Example 5.9. 



2 An Overview of Existing Work 

The results presented herein depend heavily upon the earlier work of the author 
on closed update strategies, which in turn depends upon the initial work of 
Bancilhon and Spyratos. To provide the reader with the essential background, 
this section contains two summaries. Summary 2.1 recaps the essential ideas 
of closed update strategies within the original set-based framework. Thus, it 
provides the essence of the framework of [1], although it is recast within the 
formalism of [2] [3]. Summary 2.2 sketches the key ideas developed in [2] [3] 
which are necessary to extend the set-based ideas to the order-based context. 

While every effort has been made to keep this paper self contained, it may 
nevertheless be necessary to consult [2] and/or [3] to resolve detailed technical is- 
sues. Also, while the general theory is not attached to any particular data model, 
numerous examples are taken from the classical relational theory. Therefore, it is 
assumed that the reader is familiar with its standard notation and terminology. 

Summary 2.1 (The classical results in the set-based framework). In the 

original work of Bancilhon and Spyratos [1], a database schema D is just a set. 
To maintain consistency with the more structured frameworks to be introduced 
shortly, this set will be denoted LDB(D) and called the legal databases of D. 
Thus, a database schema is modelled by its instances alone; constraints, schema 
structure, and the like are not explicitly represented. A morphism / : D 3 — > D2 
of database schemata is a function / : LDB(D!) — > LDB(D 2 ). 

A view of the schema D is a pair r = (V/7) in 
which V is a schema and 7 : D — > V is a surjec- 
tive database morphism. A morphism f : 7i — > T2 of 
views 7\ = (Vi, 71) and T 2 = (V2, 72) is a morphism 
/ : Vi -> V 2 of schemata such that the diagram to 
the right commutes. Following standard categorical 
terminology [5, 3.8], the morphism / is an isomor- 
phism if there is a g : V 2 — > V 3 which is both a left and a right inverse 
to /. The congruence of r is the equivalence relation on LDB(D) defined by 
(Mi, M 2 ) € Congr(7 n ) iff j(Mi) = 7 (M 2 ). It is easy to see that T) = (Vi,7i) 
and r 2 = (V 2 ,7 2 ) of D are isomorphic iff Congr(A) = Congr(72). 
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An update on the schema D is a pair (Mi, M 2 ) £ LDB(D) x LDB(D), which 
specifies a change of the state of D from Mi to M 2 . A closed update family U 
on D a set of updates which forms an equivalence relation; that is: 

(up-r) For each M £ LDB(D), {M,M) £ U. 

(up-s) If {Mi, M2) £ U, then {M2, Mi) £ U as well. 

(up-t) If {Mi,M 2 ), (M 2i M 3 ) £ U, then {M X ,M 3 ) £ U. 

Thus, in a closed update family, all updates are reversible, and compatible up- 
dates are composable. 

Now let T= (V,7) be a view of the schema D, and let U and T be closed 
update families for D and V respectively. An update strategy is a rule which 
translates updates on the view (i.e., in T) to updates on the main schema (i.e., 
in U). Formally, an update strategy for T with respect to U is a partial function 
p : LDB(D) x LDB(V) — > LDB(D) which satisfies the following five conditions. 
(Here Xf means that X is defined.) 

(upt:l) p{M,N)f iff {j{M),N) £ T. [Admissibility of an update depends only 
upon the state of V, and not otherwise upon that of D.] 

(upt:2) If p{M,N) 4,, then {M,p{M,N)) £ U and r y{p{M,N)) = N. 

(upt:3) For every M £ LDB(D), p{M,j{M)) = M. [Identity updates are reflec- 
ted as identities.] 

(upt:4) If p{M,N)l, then p{p{M, N), y(M)) = M. [Every view update is glo- 
bally reversible.] 

(upt:5) If p{M,Ni)l and p{p{M, Ni), N 2 )i, then p{M,N 2 ) = p{p{M, Ni), N 2 ). 
[View update reflection is transitive.] 

The idea of such an update strategy is shown in Fig. 2 below. Put another way, 
p : (current state of D, new state of V) 1— >• new state of D in such a way that the 
new state of D gives rise to the desired new state of V. The update to V must 
lie in T, and the reflected update to D must lie in U. In practice, U is often 
taken to be all possible updates on D, i.e., LDB(D) x LDB(D), but this is in no 
way essential to the theory. 

Some authors have 
argued that closed up- 
date strategies are too 
restrictive to be of use 
[6]. However, as shown 
in [3] , they are precisely 
the view updates which 
(a) do not depend upon 
the corresponding state of the main schema for admissibility, and (b) have their 
effect visible entirely within the view. In other words, they are the updates which 
can be understood entirely within the context of the view itself. 

The idea that all view updates in a closed strategy have their effect contained 
entirely within the view itself is further manifested in their characterization 
via constant complement. A pair (A = (Vi,7i), A = (V 2 ,7 2 )} of views of 
the schema D is called a subdirect complementary pair if it defines a lossless 
decomposition of D. More precisely, the product A x A = (Vi 7 : jg) 72 V 2 ,7i (g> 



reflected update 

Mi | >■ p{Mi,N 2 ) 



' < 



view update 

7 {Mi) = Ni | > N 2 = 7 {p{Mi,N 2 )) 

Fig. 2. Update strategy 
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72) has LDB(V l7 fg) 72 V 2 ) = {( 7l (M), 72 (M)) | M G LDB(D)}. The morphism 
7l ® 72 : D -A V 1 71 ® 72 V 2 is given on elements by M i-a ( 7l (M), 72 (M)). The 
pair {-T] , U 2 } forms a subdirect complementary pair, and 7\ and T 2 are called 
subdirect complements of one another, just in case 7 i (g> 72 is a bijection. In other 
words, {Tj , r 2 } is a subdirect complementary pair precisely in the case that the 
state of the schema D is recoverable from the combined states of Vi and V 2 . 

If {/\,T 2 } is a subdirect complementary pair, it is clear that there can 
be at most one update strategy on Tj which holds -T 2 constant. Specifi- 
cally, define UpdStr(ri, r 2 ) : LDB(D) x LDB(Vi) LDB(D) by (M, TV) h> 
( 7i <8 72) -1 (A r , 72 (-W)) whenever (7V, 72 (M)) G LDB(V! 7 £3 72 V 2 ), and undefi- 
ned otherwise. UpdStr(Ti, J2) is called the update strategy for 7\ with con- 
stant complement T 2 . As first shown by Bancilhon and Spyratos [1, Thm. 7.3], 
every closed update strategy on a view r is of the form UpdStr(T, T') for some 
view r' . Specifically, let T and U closed update strategies for V and D re- 
spectively, and p an update strategy for T with respect to U. The induced 
update family on D is the smallest subset of U which will support the up- 
dates in T. It is denoted = p and is given by {(Mi,M 2 ) G LDB(D) | (37V G 
LDB(V))(p(7V/i, TV) = M 2 )}. The p-complement of T, denoted T p = (V P , 7 P ), 
is defined to have LDB(V P ) = LDB(D)/= P , with the morphism 7 P : D — > V p 
given by M i-t [M]= ; the latter denoting the equivalence class of M in = p . In 
other words, (Mi, M2) G Cong r(T ,p ) iff some view update (7 Vi,7V 2 ) G T changes 
the state of D from M 1 G 7 -1 (7 Vi) to M 2 G 7 _1 (7V 2 ). Thus, by construction, 
a potential update (7 Vi, 7V 2 ) G LDB(V) is supported under p iff for some (resp. 
any) M\ G 7 -1 (7 Vi), there is an M 2 G LDB(D) with (Mi, M 2 ) G Congr(T p ). 
In other words, the allowable updates to r under p are precisely those whose 
reflection into D leaves V p fixed; i.e., p = UpdStr (r,r p ). 

Not all subdirect complements 
give rise to closed update strategies. 

Condition (upt:l) mandates that the 
admissibility of a view update depend 
upon the state of the view alone. Thus, 
any information which is contained 
in the complement view and which is 
needed to determine the admissibility 
of an update must be contained in 
the view to updated as well. The ne- 
cessary condition, first observed in [7, 

2.10], is that the congruences must 
commute. Formally, the pair {73 , T 2 } of views of D is called a fully commuting 
pair if Congr(Ti)oCongr(T 2 ) = Congr(7 2 )oCongr(7^i), with “o” denoting ordinary 
relational composition. A subdirect complementary pair {/\,T 2 } which is fully 
commuting is called a meet- complementary pair, and Ti and T 2 are called meet 
complements of one another. In this case, Congr(/ n i)oCongr(/ 2 ) is also an equiva- 
lence relation on LDB(D), and so it is possible to define (up to isomorphism) the 
view 73 AT 2 = (Vi 71 A, 2 V 2 , 7 iA 72 ) with Congr(/\ AT 2 ) = Congr(/\)oCongr(r 2 ). 



D 




Fig. 3. Relative views 
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The situation is summed up in the Fig. 3 above. Note that Vi 71 A 72 V 2 is a 
view not only of D, but of V/ and V 2 as well. Now define UpdFam(Ai A) = 
{(Nx,N 2 ) € LDB(Vi) x LDB(Vi) | A (A, A A r 2 ){N 1 ) = A<A, A A A) (A,)}. 
UpdFam(A, A) is a closed update family,, called the update family induced by 
r 2 on A- It embodies precisely the updates on A which are admitted under 
UpdStr(A, A); in other words, the admissible updates to A are precisely those 
which keep the meet A A A constant. The key result [2, 3.9] [3, 3.10] is the 
following: 

(a) For any update strategy p, UpdStr(A M) = p. 

(b) For any meet complement A of A 7” UpdStr<r ’ ri> = A- 

In the context of relational schema and views defined by projection, a pair of 
views forms a meet-complementary pair iff the decomposition is both lossless and 
dependency preserving [2, 2.16] [3, 2.17]. In this case, the meet view is just the 
projection on the common columns. To obtain an example in which the views 
form a subdirect complementary pair but not a meet complementary pair, it 
suffices to consider an example which is lossless but not dependency preserving. 

In [8], the connection between decompositions of database schemata and 
commuting congruences is investigated thoroughly. 

Summary 2.2 (The order-based framework). Despite its simplicity and 
elegance, the set-based framework for closed update strategies has a substan- 
tial shortcoming; namely, the update strategy depends upon the choice of the 
complement. For example, let Ei be the relational schema with the single rela- 
tion R[ABC ], constrained by the single FD B — > C, and let Bab be the view 
defined by the projection mapping itab- Define 77 bc similarly. Since the pair 
{Bab, n B c} forms a lossless and dependency-preserving decomposition of E lt 
it also forms a meet-complementary pair [2, 2.16] [3, 2.17]. Indeed, 77 bc is the 
“natural” complement of 77 ab, and the one which yields the “obvious” strategy 
for reflecting updates to IIab back to F 0 . However, as shown in [2, 1.3] [3, 1.3], 
it is possible to find other complements of Bab which have exactly the same 
meet, and so support exactly the same updates to Bab- Although these alter- 
nate complements are a bit pathological, the set-based theory outlined above in 
Summary 2.1 does not prefer Bbc to them in any way. 

To formalize this preference, additional structure must be incorporated into 
the model. Most database models incorporate some sort of order structure. In the 
relational model, the databases may be ordered via relation-by-relation inclusion. 
Furthermore, the common database mappings built from projection, restriction, 
and join are all order preserving with respect to this natural order structure. 
In particular, while the views Bab and Bbc are order mappings, the alternate 
views identified in [2, 2.16] [3, 2.17] are not. 

The theory developed in [2] and [3] provides a systematic extension to the 
results outlined in Summary 2.1 above to the order-based setting. A order schema 
D is taken to be a partially ordered set ( poset ) (LDB(D), < D ). A order database 
mapping f : Di — > D 2 is an order-preserving function; i.e., Mi < Dl M 2 implies 
/(Mi) < D2 /(M 2 ). An order view r = (V/y) of D consists of an order schema 
V and an open surjection 7 : LDB(D) — > LDB(V); that is, a surjection which 
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is order preserving and, in addition, which satisfies the property that whenever 
N\ < v N 2 , there are M 1 , M 2 £ LDB(D) with the properties that Mi < D M 2 , 
f(Mi ) = Ni, and /(M 2 ) = N 2 . For the pair of order views (T) , T 2 } to be a 
subdirect complementary pair in the order sense, the mapping 71 ® 72 : D — > 
Vi 7 ^) 72 V2 must be an order isomorphism, and not merely an order-preserving 
bijection. To obtain a closed update strategy in the oder-bases sense, conditions 
(upt:l)-(upt:5) identified in Summary 2.1 are augmented with the following three 
additions. 

(upt:6) If p(M,N)l and q(M) < v N, then M < D p(M,N). [View update 
reflects order.] 

(upt:7) If p{Mi,Ni)l with Mi < D p(Mi,Ni), then for all M 2 £ LDB(D) with 
Mi < D M 2 < d p(Mi,Ni), there is an N 2 £ LDB(V) with p(Mi,N 2 ) = 
M 2 and p(M 2 ,'y(p(Mi, Ni))) = p(Mi,Ni). [This condition is called order 
completeness .] 

(upt:8) If Mi, M2 £ LDB(D) with Mi < D M 2 , then for every Ni,N 2 £ LDB(V) 
for which Ni < v N 2 , p(Mi,Ni)f, and p(M 2 ,N 2 )f , if must be the case that 
p(Mi,Ni) < D p(M 2 ,N 2 ). [This condition is called order reflection .) 

Modulo these modification, it is fair to say, at least in a general way, that [2] 
and [3] extend the classical set-based constant complement theory to the order- 
based setting. Within the setting of this extension, a number of uniqueness 
results are obtained. Most importantly, while complements are not necessarily 
unique, order-based updates are. Specifically, let D be a database schema, and 
let U be a closed update family for D. A pair (Mi, M2) £ U is called: a formal 
insertion with respect to U if Mi < D M 2 \ a, formal deletion with respect to U if 
M 2 < d Mi; and an order-based update with respect to U if it is a composition 
of a sequence of formal insertions and formal deletions. The main theorem [2, 
4.2] [3, 4.3] states that for an order-based view r = (V,y) of the order-based 
schema D , all order-based closed update strategies must agree on all order-based 
updates. In other words, there is only one way to reflect the view update back 
to the main schema. This does not depend upon the choice of complement, or 
even the value of the meet. It is unique, period. As a rich source of classical but 
important examples, all SPJR-mappings (Select, Project, Join, Rename) in the 
classical relational setting define order views [2, 2.5] [3, 2.5]. 

In [9], a theory of direct decomposition (i.e., situations in which the views 
are independent and so the meet is trivial) of order-based schemata is presented. 

3 A Framework for Modelling View Updates 

The framework described in Summary 2.2 must be extended in two essential ways 
in order to recapture the key ideas involved in updates and their complexity. First 
of all, to recapture complexity, it must be possible to characterize the size of a 
database, and also the size of an update. Secondly, to recapture admissibility of 
a candidate database, it must be possible to discuss both those databases which 
satisfy the underlying constraints and those which do not. Fortunately, there 
is a very simple model which meets both of these requirements. To begin, the 
underlying ideas in the world of posets are developed. 




162 S.J. Hcgner 



Definition 3.1 (CFA-posets and morphisms). Let X be any set (not ne- 
cessarily finite), and let 2Pf(A) = (2Pf(X),C) denote the poset consisting of all 
finite subsets of X, ordered under set inclusion. A concrete finitely -atomistic 
poset P = (P, C) (over X) ( CFA-poset for short) is any sub-poset of 2Pf(X) 
which contains the least element 0, as well as all singletons of the form {a;} 
with x £ X. Define Atoms(P) = {{a;} | x £ A}; these are clearly the 
atoms of this poset in the abstract sense [10, 5.2]. The basis of any p £ P is 
Basisp(p) = {a £ Atoms(P) | a C p} = {{a:} | x £ p}. The term finitely atomi- 
stic is borrowed from the lattice-theoretic world [11, p. 234], and refers to the 
fact that every element in P is the supremum of the atoms which are less than 
it; i.e., p = sup{a £ Atoms(P) | a C p}. Note also that X may be recovered 
from P; define Foundation(P) = (J Atoms(P) = {a: | {a;} £ Atoms(P)}. Thus, it 
is safe to speak of a CFA-poset without explicitly identifying the underlying set. 

To avoid confusion when more than one poset is considered, Ip will be 
used to denote 0 when it is regarded as the least element of P. Finally, it is 
often useful to have a notation for atoms and basis when the least element 
is included as well; thus ExtAtoms(P) = Atoms(P) U {ip}, and for p £ P, 
ExtBasisp(p) = Basisp(p) U {ip}, 

Let P = (LDB(P),C) and Q = (LDB(Q),C) be CFA-posets. A CFA- 
morphism is a function / : P — > Q with the property that it is basis preserving, 
in the precise sense that for all p £ P, U{/( a ) I a e Basis P (p)} = Basisq 
It is clear that a CFA-morphism is monotone, i.e., pi C p 2 implies f(pi) C /(p 2 ), 
and thus a poset morphism in the ordinary sense. Furthermore, /(ip) = _Lq, 
since Basisp(Tp) = Basisq(Tq) = 0. Thus, the behavior of a basis-preserving 
morphism is determined entirely by its action on the atoms of the poset. 

A CFA-morphism which is surjective is called a CFA-surjection. The CFA- 
surjection / : P — > Q is open if, for each pair qi,q 2 £ Q with qi C q 2 , there are 
Pi,P 2 £ P with the properties that p\ C p 2 , f(pi) = <?i, and /(p 2 ) = <72- If / is 
an open surjection, then Q carries the weakest order which renders / monotone. 

Definition 3.2 (CFA-schemata, morphisms, and views). Formally, a 
concrete finitely atomistic database schema ( CFA-schema for short) D = 
(LDB(D) , C) is just a CFA-poset. A CFA-database morphism is just a CFA- 
morphism in the sense given above. A CFA-view is a pair P = (V, 7 ) in which 
V is a CFA-schema and 7 is an open CFA-surjection. 

Example 3.3 (Relational CFA-schemata, morphisms, and views). Let 

R be a relational schema consisting of a single relation P[A], with a family C 
of constraints; LDB(R) the set of all finite relations satisfying those constraints. 
R is automatically an order schema in the sense of [2] and [3], with the order 
defined by set inclusion. For it to be a CFA-schema, it must also be finitely 
atomistic. Specifically, this means that both the empty relation 0 and each set 
{t} containing exactly one tuple satisfies the constraints of C. These conditions 
are satisfied, for example, whenever C consists of universal dependencies, such as 
full dependencies [12, Ch. 10].) These sets are very broad, and include equality 
generating dependencies (EGDs) such as FDs, and tuple generating dependencies 
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(TGDs) such as join dependencies. They do not, however, include dependencies 
involving existential quantification, such as inclusion dependencies [12, Ch. 9], 
upon which foreign-key dependencies are based. A similar construction applies 
in the case in which R contains several relations; in this case, the atoms are 
those instances in which one relation contains one tuple, and the rest are empty. 

Both projection and restriction are examples of open CFA-surjections in the 
relational context, since each is defined by its action on single tuples. Thus, they 
define CFA- views. On the other hand, joins are not in general CFA-morphisms, 
since they are not basis preserving. 

Definition 3.4 (Unconstrained databases). While the legal databases con- 
sist of some finite subsets of the foundation, the potential databases consist of 
all of them. Specifically, Let D = (LDB(D),C) be a CFA-schema, and define 
(D = DB(D),C) with DB(D) = SPf (Foundation(D)), and let t D : D — > D be 
the identity embedding; M i-t M. The elements of DB(D) are called the uncon- 
strained databases of D. In the relational example R identified in Example 3.3, 
DB(D) is the set of all finite relations on attribute set A, regardless of whether 
or not the constraints of C are met. 

Remark 3.5 (Abstract FA-schemata) . A cornerstone of the framework de- 
veloped in [2] [3] is that equivalence up to poset isomorphism is adequate to 
characterize a database schema. In other words, the theory is indifferent to such 
“inessential” variations. However, in the approach taken here, this is not the 
case. Rather, the database schemata are required to have a specific form; na- 
mely, that of a sub-poset of a power set. This is not an essential change. It is quite 
possible to develop the theory of this paper along the lines of abstract FA-posets, 
which may be axiomatized independently of any reference to CFA-posets, but 
which amount to those posets which are isomorphic to CFA-posets. The reason 
for not taking this direction is that it becomes much less intuitive, and much 
more cumbersome notationally, to define the unconstrained databases. The gains 
realized in having such a natural model for going from constrained to unconstrai- 
ned databases seems worth the loss in abstraction. The more concrete approach 
is not entirely without its drawbacks, however. In particular, views which are 
constructed axiomatically must then be “concretized.” For example, at the end 
of Definition 4.3, a method for constructing a CFA-view from a congruence is 
provided. 

Definition 3.6 (fc-models and subinstance properties). In a relational 
schema R constrained by a family T of FDs, to test a candidate relation M 
for legality, it suffices to test each pair of tuples for conflict. In other words, if 
every two-element subset of M satisfies IF, then M itself does. For more gene- 
ral families of EGDs, a corresponding property requiring the testing of k tuples 
at a time is easily formulated. The following notions extend these ideas to the 
abstract framework. 

Let D = (LDB(D) , C) be a CFA-database schema, and let k £ IN. A k-model 
of D is any M £ DB(D) with the property that every N £ DB(D) with ACM 
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and Card(IV) < k is in LDB(D). (Here Card(X) denotes the cardinality of the 
set X.) The schema D has the k-submodel property if, for every M £ DB(D), 
M £ LDB(D) iff it is a fc-model of D. The schema D is closed under subinstances 
if, for any M £ LDB(D) and any N C M, N £ LDB(D) as well. The following 
observation is immediate. 

Observation 3.7. If D is a CFA-schema which has the k-submodel property 
for some natural number k, then it is closed under subinstances. □ 

Remark 3.8 (The limits of k- models). While fc-models recapture the idea 
of FDs in particular and EGDs in general, they do not recapture the tuple- 
generating properties of join dependencies in particular and TGDs in general. 
For such dependencies, a more general notion, the (fci, /c 2 )-model, is needed. See 
the comments in Discussion 6.1. 

Remark 3.9 (The measure of complexity). In a simple sense, a potential 
database M £ DB(D) of a schema D with the fc-submodel property may be 
tested for membership in LDB(D) in worst-case time 0(n k ), with n = Card (M), 
since there are (^) subsets of size k to test, and 0((^)) = 0{n k ), when k is taken 
to be constant and n the variable. In the context of simple update operations, 
this complexity may be further reduced. For example, if the update corresponds 
to the insertion of a single atom, then the complexity is (^(u^" 1 ), since the only 
fc-element subsets which need be checked are those which contain the new atom. 
In view of Observation 3.7, no checking is needed at all for deletions. 

In certain contexts, with the support of appropriate data structures, these 
values may be reduced even further. Most notably, with key dependencies in the 
case of FDs, satisfaction may be performed in linear time, and the correctness 
of simple insertions may be determined in constant time [13]. For reasons of this 
dependence upon data structures, as well as space constraints, these issues will 
not be pursued further in this paper. Rather, complexity will be characterized 
solely in terms of /c-submodel properties. 

To close this section, a few essential properties of schemata which are closed 
under subinstances are developed. 

Definition 3.10 (Strong morphisms and injective generators). Let Di = 

(LDB(Di),C) and D 2 = (LDB(D 2 ), C) be CFA-schemata, and let / : Di — > D 2 
be a CFA-surjection. 

(a) The morphism / is a downwardly strong if for every Mi £ LDB(Di) and 
M 2 £ LDB(D 2 ) for which M 2 C /(Mi), there is an M[ £ LDB(Di) with 
M[ C Mi and f(M[) = M 2 . Note in particular that if / is surjective and 
downwardly strong, then it must be open as well. 

(b) The morphism / is injectively generating if for every M 2 £ LDB(D 2 ), there 
is an Mi £ / -1 (M 2 ) with the property that Card(Mi) = Card(M 2 ). 

Proposition 3.11. Let Di = (LDB(Di), C) and D 2 = (LDB(D 2 ), C) be CFA- 
database schemata, with f : Di — > D 2 a CFA-surjection and Di closed under 
subinstances. Then f is downwardly strong and injectively generating, and D 2 
is closed under subinstances. 
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Proof. To show that / is downwardly strong, let M £ LDB(Di) and N £ 
LDB(D 2 ) with f(M) = N, and let N' £ LDB(D 2 ) with N' C N. Set 
M' = {A £ M | f(A) £ N'}. Then M' £ LDB(D!) (since D x is closed un- 
der subinstances) with f(M') = N'. 

To show that / is injectively generating, let N £ LDB(D 2 ) and choose M £ 
f~ 1 (N). For each B £ N, choose exactly one Ab £ M with the property that 
f(As) = B, and put M' = {Ab I B £ N\. Since Di is closed under subinstances, 
M' £ LDB(Di), with f{M') = N' . 

Finally, to show that D 2 is closed under subinstances, let N £ LDB(D 2 ) 
and let N' £ DB(D) with N' C N. Choose M £ f~ 1 {N) and set M' = {A £ 
M | f(A) £ N'}. Since Di is closed under subinstances, M' £ LDB(Di), and so 
N' £ LDB(D 2 ) with f{M') = N'. □ 

4 View Constructions and Relative Complexity 

The ultimate goal of this section is the proof of the main theorem of this paper 
that the relative complexity of view update for a closed view is no greater 
than that of update in the base schema. To achieve this result, certain key results 
from [2] [3] must be lifted to the current, more structured framework. 

To begin, it is shown that a functional connection, or, equivalently, a sub- 
sumption of congruences is sufficient to define a relative view. 

Lemma 4.1 (CFA-view fill-in). Let D = (LDB(D),C) be a CFA-schema, 
let C = (Vi, 7 i) and T 2 = (V 2 ,y 2 ) be CFA-views o/D, and let f : Vi — > 
V 2 be any function which renders the diagram of Fig. 1 commutative. Then f 
is necessarily an open CFA-surjection, and hence defines a relative CFA-view 
A(r 1 ,r 2 ) = (v 2 ,A(A,r 2 » with x ( a , A) = /. 

Proof. It is immediate that / is surjective, since y 2 is. To show that it is open, 
let M,N £ LDB(V 2 ) with M C N. Then, since y 2 is open, there are M',N' £ 
LDB(D) with M' C N' and f(M') = M, f(N') = N. Then (A/ 7 ) C 7i (N') 
with 7l (M') £ /~ 1 (M), 'yi(N') £ f^ 1 {N)- 1 i.e., / is open. Finally, to show that 
it is basis preserving, let N £ LDB(Vi); then, since 7 i is surjective, there exists 
M £ LDB(D) with 7 i(M) = N. Since 7 i is basis preserving, each a £ N is of 
the form 7 i( 6) for some b £ M. Thus f(N) = /( 7 i(M)) = 72 (M) = { 72 (6) | b £ 
M} = {/( 7 i(6)) | b£M} = {/(a) | a £ N}. □ 

Proposition 4.2. Let D = (LDB(D),C) be a CFA-schema and let 
A = (Vi, 7 i) and A = (V 2 , 72 ) be CFA-views of D. Then there is a view 
morphism f : A — > A iff Congr(A) C Congr(A)- n 

In the order-based context, the congruences which define order views are 
the order- compatible congruences [2, 2.9] [3, 2.9]. In the present framework, the 
appropriate condition is that of being atomically generated ; that is, of being 
defined entirely by the behavior on the basis of the underlying schema. The 
formal details are as follows. 
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Definition 4.3 (Atomically generated equivalence relations). Let D = 
(LDB(D) , C) be a CFA-schema, and let R be an equivalence relation on LDB(D). 
Define [D] fl = (LDB(D)/f?, < [d]r ), with LDB(D)/f? the set of equivalence clas- 
ses of R, and < [d]r the relation on LDB(D)/i? given by [M]r < [d]r [N]r iff 
(3Mi € [M]r)(3Ai G [N]r)(Mi < d Ni), and define Or : D — > LDB(D)/f? by 
M i — ^ [M]r. In the order-based setting, it is already known that [D] fi is an order 
schema, and that Or = ([D] K , Or) is an order-based view [2, 2.9] [3, 2.9]. 

To extend this result to the CFA-setting, a few additional conditions must be 
imposed. The idea is that since CFA-morphisms are completely characterized by 
their action on atoms, the corresponding notion of equivalence relation must have 
this same property. Specifically, let D = (LDB(D), C) be a CFA-schema, and let 
R be an equivalence relation on LDB(D). Informally, R is atomically generated 
if its equivalence classes are defined entirely by the equivalences of its atoms. 
Formally, R is atomically generated if, for any (Mi, M 2 ) £ LDB(D) x LDB(D), 
(Mi, M 2 ) £ R iff the following two conditions are satisfied. 

(atg:l) (VAi £ Basis D (Mi))(3A 2 £ ExtBasis D (M 2 ))((Ai, A 2 ) £ R)) 

(atg:2) (VA 2 G Basis D (M 2 ))(3A! g ExtBasis D A 2 ) £ R)) 

Put another way, define the atomic subequivalence AtomicEq(f?) = 
R fl (ExtAtoms(D) x ExtAtoms(D)). Then, for R to be atomically generated, 
it must be entirely recoverable from AtomicEq(f?). 

It is easy to see that an atomically generated equivalence relation provides 
the correct construction for obtaining an abstract FA-view; however, such a 
view is not concrete because the equivalence class [M]r is not the union of 
its basis. Nonetheless, this is easy to fix. For any M £ LDB(D ), let [M]r = 
{Nr \ x £ M}, let LDB(D)//f? = {[M]r | M £ LDB(D)}, and let [D]r = 
(LDB(D)//i?,C). Define = ([D]r, [0*]), with [0*] : D [D]r given 

by M [M]r. This construction provides a CFA-view whose congruence is R\ 
Lemma 4.4 and Proposition 4.5 below formalize this fact. 

Lemma 4.4 (Concretization of views defined by equivalence relati- 
ons). Let D be a CFA-schema, and let R be an atomically generated equiva- 
lence relation on LDB(D). Then [D]r is a CFA-schema with Atoms([D]R,) = 
(Hr I a £ Atoms(D)}, and [<9r] = ([D]r, [0r]) is a CFA-view of D with 
Congr([0R.]) = R. □ 

Proposition 4.5 (Characterization of CFA-views). Let D be a CFA- 
schema, and let R be any equivalence relation on LDB(D). Then [<9r] is a CFA- 
view iff R is an atomically generated equivalence. In particular, if F = (V,7) is 
a CFA-view, then Congr(T') is an atomically generated equivalence. □ 

A critical component of the theory is the ability to “lift” the constructions on 
a constrained schema D to the associated unconstrained schema D . This includes 
also morphisms between such schemata, views, and even equivalence relations 
induced by views. To begin, the notion of lifting a morphism is introduced. 
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Definition 4.6 (Extensions of CFA-mor- 
phisms to unconstrained databases). Given 
CFA-schemata Di = (LDB(Di),C) and D 2 = 

(LDB(D 2 ),C) and a CFA-morphism / : Di — > D 2 , 
there is a unique natural extension / : Dj — > D 2 
which renders the diagram of Fig. 4 to the right 
commutative. Specifically, for any M G DB(Di), 
define f(M) = |J{/({:r}) I x e Af}. The following 
is easy to verify. 

Proposition 4.7. Let Dj = (LDB(Di),C) and D 2 = (LDB(D 2 ),C) be CFA- 
schemata, and let f : Di — > D 2 be a CFA-morphism. Then f : Di — > D 2 is also 
a CFA-morphism, and it is an (open) CFA-surjection iff f is. □ 
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Discussion 4.8 (Lifting of ent- 
ire diagrams and completions of 
CFA-equivalences) . The lifting 
construction described in Definition 
4.6 may be applied to any com- 
mutative diagram containing CFA- 
morplrisms. Thus, the commutative 
diagram shown in Fig. 5 to the right 
may be obtained from the commu- 
tative diagram shown in Fig. 3. The 
key results of this section, however, 
require a further step; namely, that 
the extension operation be moved from an entire construction to the individual 
components. 

In concrete terms, it is neces- 
sary to show that the diagram of 
Fig. 5 is the same, component- 
by-component and morphism-by- 
morphism, as that of Fig. 6 to the 
right. The key to establishing this 
equivalence lies within the associa- 
ted equivalence relations. Specifi- 
cally, given a CFA-schema D, it is 
the case that the equivalence rela- 
tion of D is a natural completion of 
that of D. More formally, proceed 
as follows. Let R be a CFA-equivalence on the CFA-schema D. Define the com- 
pletion of R to be the equivalence relation R on D with the property that for 
Mi,M 2 G DB(D), 

(Mi, M 2 ) G R <=>(((VAi G Basis D (Mi))(3A 2 G ExtBasis D (M 2 ))((A 1; A 2 ) G R)) a 
((VA 2 G Basis D (Af 2 ))(3Ai G ExtBasis D (Mi))((A 1 , A 2 ) G R))) 



D 




Fig. 6. Individual lifting 
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Definition 4.9 (Independence dependencies). Consider a simple relatio- 
nal schema R[ABC\ constrained by the single FD B — > C, which decomposes 
losslessly and in a dependency-preserving fashion into the two projections II ab 
and IIbc- There are two equivalent ways of identifying the view states which 
may be combined to form a state of the main schema. First, one may say that 
the projection of each view on attribute B is the same. Second, on may say that 
for each tuple (a, b) of the view 77 ab, there is a tuple (6, c) with a matching 
77-value, and conversely. These conditions are so obviously identical that it may 
seem pointless to differentiate between them. However, in a more general context, 
they display an important difference. The first (characterization by equivalent 
projections) does not make use explicit use of individual tuples, and thus claims 
a generalization as the 77 b -independence dependency within the framework of [2] 
[3]. On the other hand, a generalization of the second condition (tuple-by-tuple 
matching) requires a corresponding abstraction of the notion of a tuple; while 
the framework of [2] [3] does not admit such an abstraction, the more structured 
one used here does. The formalizations are as follows. 

Let D = (LDB(D) , C) be a CFA-schema, let (Pi, F 2 } be a subdirect com- 
plementary pair of CFA- views, and let F3 = ^3,73) be a view of D, with 
Congr(/\) C Congr(/3) and Congr(P 2 ) Q Congr(73). The r^-independence de- 
pendency on Vi V 2, denoted ®r 3 , is satisfied iff for any Mi £ LDB(Vi) and 

M 2 £ LDB(V 2 ), the following condition is satisfied ([2, 2.12], [3, 2.13]). 

(id) ((M 1 ,M 2 )£LDB(V l7l ® 72 V 2 )) ^ (A(r 1 ,r 3 )(M 1 ) = A(r 2 ,r 3 )(M 2 )) 

On the other hand, the pointwise J3- independence dependency is satisfied iff the 
following two dual conditions are met. 

(id:l) 

(VAj £ Basisv! (Mi))(3A 2 £ ExtBasisv 2 (A7 2 ))(A(Pi,7 , 3)(A 1 ) = A(P 2 , F 3 )(A 2 )) 

(kl:2) 

(VA 2 £ Basisv 1 (Al2))(3Ai £ ExtBasisv 2 (A7i))(A(7d,/3)(Ai) = A(P 2 , I3HA2)) 

In the context of CFA- views, conditions (id: 1) and (id:2) may replace (id). 

Proposition 4.10. Let (LDB(D),C) be a CFA-schema, and let be a 

subdirect complementary pair of CFA-views of D. Then it is also a meet com- 
plementary pair iff conditions (id:l) and (id:2) of Definition f.9 are satisfied. 

Proof. Follows directly from the discussion of Definition 4.9 and [2, 2.13] [3, 
2.14], □ 

Lemma 4.11 (Commuting congruences for completions). Let D be a 

CFA-schema and let Mi,M 2 ,£ DB(D). 

(a) Let F = (V,7) be a CFA-view of D. Then (M\,M 2 ) £ Congr(P) iff the 
following two dual conditions are satisfied. 

(VAi £ Basis E (Mi))(3A 2 £ ExtBasis E (7l7 2 ))(Ai, A 2 ) £ Congr(P)) 

(VA 2 £ Basis 5 (M 2 ))(3Ai £ ExtBasis 5 (7l7i))(Ai, A 2 ) £ Congr(P)) 
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(b) Let Tp = (Vi,7i) and T 2 = (V 2 ,7 2 ) be CFA-views of D. Then ( Mi, M 2 ) £ 
Congr(/ n 1 ) o Congr(T 2 ) iff the following two dual conditions are satisfied. 
(VAp £ Basis 5 (Mp))(3A 2 £ ExtBasis 5 (M 2 ))(Ap, A 2 ) £ Congr(Tp) o Congr(T 2 )) 
(VA 2 £ Basis 5 (M 2 ))(3Ap £ ExtBasis 5 (Mp))(Ap, A 2 ) £ Congr(Tp) o Congr(r 2 )) 

Proof. Part (a) is a direct consequence of conditions (atg:l) and (atg:2) of Defini- 
tion 4.3 and the definition of completion. To establish (b), let Mp, M 2 £ DB(D) 
satisfy the two dual conditions of (b). For each A\ £ Basisjj(Mp), let A2 £ 
ExtBasisjj(M 2 ) with (A ll A 2 ) £ Congr(Tp) o Congr(T 2 ), and let N J i il £ LDB(D) 
be such that (Ap., AI 4 J £ Congr(Tp) and (Na 1 ,A 2 ) £ Congr(T 2 ). Na 1 may 
furthermore be chosen to be a member of ExtAtoms(D), since every A £ 
ExtBasiso(Af J 4 1 ) must be equivalent to Ai under Congr(Tp) and equivalent to A 2 
under Congr(T 2 ), in view of (a). Thus, if Na x ^ J-d , any element of Basisj^AAq) 
will serve as well as Na 1 itself. (If Na 1 = T D , leave it as is.) Now, again by the 
characterization of (a), (ApjA^q) £ Congr(Tp) and ( Na 1 ,A 2 ) £ Congr(T 2 ). Dua- 
lize this process for each A 2 £ Basisjj(M 2 ); choose Ai £ ExtBasisjj(Mp) with 
(Ap,A 2 ) £ Congr(Tp) o Congr(T 2 ), and let Na 2 £ ExtAtoms(D) be such that 
(A 1 ,Na 2 ) £ Congr(Tp) and ( Na 2 ,A 2 ) £ Congr(T 2 ). Put N' = (Ap £ 

BasiSjj(Mp)} U {Na 2 \ (A 2 £ Basisjj(AT 2 )}). Then £ Congr^Ti) and 

(N',M 2 ) £ Congr(T 2 ), whence £ Congr(r'i) o Congr(T 2 ). The con- 

verse condition follows immediately from part (a). □ 

Proposition 4.12 (Extension of commuting congruences). Let D be a 

CFA-schema, and let {Fi,F 2 } be a fully commuting pair of CFA-views of D. 
Then T) A -T 2 is a CFA-view of D, and {Pi,r , 2 } is a fully commuting pair of 
views of D , with T 1 AT 2 = TiA/ 2 . □ 

It is now possible to extend the notions of absolute fc-models of Definition 
3.6 to relative notions, and to prove the main theorem. A relative (to meet 
complement T 2 = (V 2 ,7 2 )) fc-model in the view Id = (Vi,7i) is a fc-model of 
Vi whose Fi A r 2 component is already a legal database of Vp 7l A^ 2 V 2 . Such 
models are central to the update process because the property of the A A f 2 
component being legal does not change under constant-complement update, since 
that component of the state is held constant. The main theorem then asserts 
that, for the view to have this property, it suffices that the main schema have 
the fc-submodel property. 

Definition 4.13 (Relative fc-models). Let D = (LDB(D),C) be a 

CFA-schema, let Tp = (Vp, 7 p) and r 2 = (V 2 , 7 2 ) be CFA-views of D with 
T 2 < Tp (i.e., with a morphism f : Tp — > r 2 ) , and let k £ IN. 

(a) The database M £ DB(Vp) is called T 2 - legal z/ A(Tp, T 2 )(M) £ LDB(V 2 ), 
and it is called a T 2 -relative /c-model for V 2 if it is both r 2 -legal and a 
k -model o/Vp. 

(b) The view Tp = (Vp,7p) has the T 2 -relative fc-submodel property if, for 
every AI £ DB(Vp), M £ LDB(Vp) iff it is a F2~relative k -model for Vp. 
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Theorem 4.14 (Preservation of complexity). Let D be a CFA-database 
schema, and let (A = (Vi, 7 i),A 2 = (^ 2 , 72 )} he a subdirect complementary 
pair of CFA-views of D. Let k € IN. //D has the k-submodel property, then A 
has the (A A r 2 )-relative k-submodel property. 

Proof. First of all, note that 71, 7i, 72, and 7 2 are downwardly strong and injec- 
tively generating, and that Vi, Vi, V 2 , and V 2 are closed under subinstances, 
in view of Observation 3.7 and Proposition 3.11. 

Let Mi £ DE^Vd) be a (A A Aj-relative fc-model; the goal is to establish that 
Mi £ LDB(Vi). To this end, begin by choosing M2 £ LDB(V2) with the pro- 
perty that A(A,r 1 AA)(M 1 ) = \{T 2 ,TiAT 2 )(M 2 ) =_A(A, A_AA)(M 2 ). Such 
a choice of M 2 is possible since the view morphism A(A, AAA) is surjective. 
Observe that (Mi, M2) £ Vi Tl 0 ?2 V 2 . Define M = (7 X ® 7 2 ) _1 (Mi, M 2 ). Choose 
N £ DB(D) such that N C M with two properties; first, that 77 (N) = 7 1 (M), 
and, second, that 7 i is injective on Basisjj(fV); i.e. , A\,A 2 £ Basisg(A) and 
7 1 (Ti) = 7 1 (4 2 ) implies that A\ = A 2 . Such a choice is possible since 77 is 
injectively generating. Now (ji 0J 2 )(N) = (Mi,M 2 ), with M 2 £ LDB(V 2 ). 
(M 2 £ LDBCV2) since M 2 £ LDB(V2) and V2 is closed under subinstances.) 
Next, let M" £ DB(D) with M" C N and Card(M") < k. Define (M",M") = 
(71 (87 2 )(M"). M 2 £ LDB(V 2 ) since M'f C M 2 and V 2 is closed under sub- 
instances, and M" £ LDB(Vi) since M" C Mi, Card(Mf) = Card(M") < k, 
and Mi is a relative (A A A) -model. Thus, M" £ LDB(D), since 7 X 0 7 2 is an 
isomorphism. However, M" was an arbitrary submodel of N in DB(D) of size 
at most k: thus, since D has the fc-submodel property, N £ LDB(D). Finally, 
this implies that Mi = 71(A) £ LDB(V!); whence A has the (A A Aj-relative 
fc-model property. □ 

Example 4.15. It is instructive to give a detailed example at this point which 
illustrates the ideas of relative complexity. The example is E 2 , which was already 
introduced in Section 1. Specifically, let E 2 denote the relational schema on 
five attributes with the single relation symbol S[ABCDE\. It is constrained 
by the set tF 2 = {A > D, B > D,CD — > A, A — > E} of FDs. Since this 
schema is constrained by FDs, it clearly has the 2-submodel property. The view 
to be updated is LIabce = (S[ABCE], ttabce), while the complement to be 
held constant is IIabcd = ( S[ABCD],eabcd )■ The pair {LIabce, L[abcd} is 
lossless, since the dependency A —> E implies the join dependency ABCD XI 
ABCE, and it is dependency preserving since every FD in T 2 embeds into 
one of the two views. Thus, it forms a meet-complementary pair, with meet 
LI abc = (S[ABC\, ttabc) [2, 2.16], [3, 2.17]. The updates which are allowed 
on IIabce are precisely those which hold LI abc constant; that is, those which 
change only the E- value of a tuple. In view of the above theorem, LIabce has 
the TAsc-rclative 2-submodel property, since the main schema E 2 has the 2- 
submodel property. Note that this is the case even though the view LIabce 
cannot be finitely axiomatizable [4]. 




The Relative Complexity of Updates 171 



5 Update Strategies 

To complete the transition to the CFA-context, the connection between the 
results of the previous section and formal update strategies must be made. For 
the most part, the approach is similar to that taken in [2] and [3]; however, an 
adjustment is necessary to ensure that the complement view generated by an 
update strategy is a CFA-view. 

Summary 5.1 (Augmenting update strategies for CFA-views). To ad- 
apt the conditions (upt:l)-(upt:8) summarized in Summary 2.1 and Summary 
2.2 to the CFA-context, it is necessary to ensure that the equivalence = p of an 
update strategy p is in fact an atomically generated equivalence, so that the 
p-complement T p of the CFA-view T is in fact a CFA-view. The appropriate 
addition to (upt:l)-(upt:8) is the following. 

(upt:9) If p(Mi, 7 (M 2 )) = M 2 , then 

(VAi G Basis D (Mi))(3A 2 G ExtBasis D (M 2 ))(p(Ai, 7 (A 2 )) = A 2 ) 

An update strategy p which satisfies all of (upt:l)-(upt:9) will be called a CFA- 
update strategy. Essentially, this means that every update is composed of updates 
on the underlying family of atoms. It is easy to see that (upt:9) holds in the 
classical setting of the lossless and dependency-preserving decomposition of a 
relational schema, as elaborated in [2, 2.15 and 2.16], [3, 2.16 and 2.17]. 

Lemma 5.2. The induced update family = p is an atomically generated equiva- 
lence iff p is a CFA-update strategy. 

Proof. Follows from Definition 4.3 and Proposition 4.5. □ 

Now the “CFA” equivalent of [2, 3.9] and [3, 3.10] follows directly. 

Theorem 5.3. Let D be a CFA-schema, and let r be a CFA-view of D. There 
is natural bijective correspondence between CFA-update strategies for T and meet 
complements of that view which are also CFA-views. Specifically: 

(a) For any CFA-update strategy p, UpdStr(.T, r p ) = p. 

(b) For any meet complement A of T which is also a CFA-view, T’ UpdStr<r ’ r i> = 

r 1 . □ 

Notation 5.4 (Notational convention). Throughout the rest of this section, 
unless stated specifically to the contrary, let D = (LDB(D), C) be a CFA-schema, 
r = (V, 7 ) a CFA-view of D, U and T closed update families for D and V, 
respectively, and p a CFA-update strategy for T with respect to U. 

Definition 5.5 (The completion of an update strategy). 

(a) The completion of U, denoted U, is the relation on DB(D) x DB(D) defined 
by (Mi,M 2 ) G U iff the following two (dual) conditions are satisfied. 

(i) (VAi G Basis 5 (Mi))(3A 2 G ExtBasis 5 (M 2 ))(Ai, A 2 ) G U ) 

(ii) (VA 2 g Basis 5 (M 2 ))(3Ai G ExtBasis 5 (Mi))(Ai, A 2 ) G U) 
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(b) The completion of p is the function p : DB(D) x DB(V) — s- DB(D) given 
by (Mi, N 2 ) i — ^ M 2 iff 7 (M 2 ) = N 2 and the following two (dual) conditions 
are satisfied: 

(i) (VAi G Basis c (Mi))(3A 2 G ExtBasis c (M 2 ))(p(Ti,7(A 2 )) = A 2 ) 

(ii) (VA 2 G Basis 5 (M 2 ))(3^! G ExtBasis 5 (M 1 ))(p(A 1 , ')(A 2 )) = A 2 ) 

Lemma 5.6. p is a CFA-update strategy for T with respect to U . 

Proof. This is a routine verification against the conditions (upt:l)-(upt:9). The 
details are omitted. □ 

In [2, 4.2], [3, 4.3], it is established that there is only one way to reflect 
an update on a closed view back to the main schema, provided that update 
is realizable as sequence of legal insertions and deletions. Using the framework 
developed in this paper, it is possible to drop the condition of legality on the 
intermediate states; in other words, the reflection of the view update back to 
main schema is unique as long as it is realizable as sequence of insertions and 
deletions, even though the intermediate states may not be legal. In other words, 
for all practical purposes, there is only one way to reflect an update under a 
closed update strategy back to the main schema, regardless of whether or that 
update is order realizable. The formal details follow. 

Definition 5.7 (Syntactic order-based updates). Following [2, 4.1] and [3, 

4.1], a pair (M\,M 2 ) G U is called a formal insertion with respect to U if M-\ < D 
M 2 \ a. formal deletion with respect to U if M 2 < D Mi; and an order-based update 
with respect to U if there exists a nonempty sequence ( N\,N 2 ), (N 2 ,N ^), . . . , 
(_ZVfc_ 2 , A r fc_ 1 ), Nif) of elements of U with the properties that Ni = Mi, 

Nk = M 2 , and each pair (iVj, 7V)_|_i), 1 < i < k — 1, is either a formal insertion 
or else a formal deletion with respect to U . The update family U is called order 
realizable if every pair in U is an order-based update. 

More generally, call a pair ( Mi,M 2 ) G U a syntactic order-based update if 
(Mi,M 2 ) is an order-based update in U, and call U syntactically order realizable 
if every pair in U is a syntactic order-based update. Since ~p is an update strategy 
by Lemma 5.6, the following extension of [2, 4.2] and [3, 4.3] follows immediately. 

Theorem 5.8 (uniqueness of reflection of syntactic order-based view 
updates). Let pi and p 2 be update strategies for T with respect to U. Then, 
for any M G LDB(D) and N G LDB(V) with (7 (M),N) GT a syntactic order- 
based update, it must be the case that p\(M,N) = p 2 (M,N). In particular, ifT 
is syntactically order realizable, then pi = p 2 . □ 

Example 5.9. Let E3 be the relational schema with a single relation symbol 
R[ABC] on three attributes, constrained by the set = {B — > A, B — > C}. 
Let the view to be updated be II ab = (R[AB\, ttab), and the complement to 
be held constant IIbc = (R[BC],ttbc)- In view of [2, 2.16], [3, 2.17], these 
two views form a meet complementary pair with meet II b = (R[B],ttb). The 
updates which are allowed on 77 ab are those which hold the projection on B 
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constant; since the FD B — »• A holds as well, this means that the only updates 
which are possible are those which change the A - value of existing tuples. These 
are not order-based updates; therefore, the main theorem [2, 4.2] [3, 4.3] does 
not provide a direct guarantee of the uniqueness of their translations. However, 
when the integrity constraint B — > A is ignored, the resulting update family is 
syntactically order based, and so Theorem 5.8 guarantees a unique translation 
of all such updates on II ab, regardless of whether or not the complement to be 
held constant is II B q- Indeed, since the updates to II ab which hold II B constant 
are syntactically order realizable, the update strategy obtained by holding II B c 
constant is the only one possible. 

This elegant solution should be contrasted with the rather complex and ad 
hoc approach to establishing uniqueness for the same example in [2, 4.5], [3, 4.6]. 



6 Final Remarks 

Discussion 6.1 (Conclusions and proposed future work). It has been 
shown that, under quite general conditions, the explosion in constraint comple- 
xity which may occur when moving from a main schema to a view cannot ad- 
versely affect the complexity of updates issued against a closed database view. 
Essentially, such explosions in complexity must be encapsulated within the meet 
of the view to be updated and the complement used to define the update strategy. 
Since that part of the view is not alterable during an update, the complexity of 
the constraints on the meet is irrelevant. The complexity which is passed along 
to the view-update process is no greater than the corresponding complexity on 
the main schema. 

The scope of the approach presented here is limited to a context which ge- 
neralizes EGDs of the relational model, and covers neither TGDs such as join 
dependencies nor non-universal dependencies such as foreign-key constraints. In 
terms of practical use, the most salient task is to extend the framework to in- 
clude foreign-key dependencies, since they are used in real, commercial relational 
database systems. To accomplish this, it seems necessary to extend the notion 
of a CFA-schema to one which explicitly recaptures the idea of a multi-relation 
schema, since such dependencies involve multiple relations in a fundamental way. 

Extension to recapture TGDs is more straightforward, involving a genera- 
lization of the notion of fc-model to (&q, foj-model, with k\ £ IN and &2 > 1 
a real number. Roughly, M £ DB(D) is a (Aq , Aqj-model if there is a Aq-model 
M' £ DB(D) with M C M' and Card(M') < k <2 ■ Card (M). Note that fc-models 
are just ( k , l)-models in this extended context. Extension to recapture views 
defined by joins is also reasonably straightforward. While the view mappings are 
obviously no longer basis preserving, it is nonetheless possible to establish the 
necessary properties (i.e. , those of Definition 3.10 and Proposition 3.11). All of 
these topics will be addressed in a forthcoming full version of this paper. 

Finally, since the theory is not tied to any particular data model, it seems 
appropriate to apply this theory to models other than the classical relational. 
The difficulty is to find a suitable starting point, since the type of complexity 
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questions addressed here have not been studied in any detail for models other 
than the relational. 

Discussion 6.2 (Relationship to other work). In an early paper, Cosma- 
dakis and Papadimitriou [14] present pessimistic complexity results which would 
appear to contradict those obtained here. However, they work with general sub- 
direct complements, and not meet complements, and so their results do not apply 
to the closed update strategies considered here. They also investigate the com- 
plexity of identifying a minimal (not necessarily meet) complement which will 
support a given update, again with pessimistic results. Recently, Lechtenborger 
and Vossen [15] have also looked at the complexity of the problem of identifying 
(not necessarily meet) complements to views, but for the purpose of identifying 
information missing in the view, and not with an eye towards update strategies. 
Their approach, by design, does not concern itself with meet complements or 
update strategies. Beyond those works, most of the literature on the problem 
of complexity of view updates is focused on logic databases. The fundamental 
issues which arise in that context (theory-oriented database models) are quite 
different from those of instance-oriented database models, and so a meaningful 
comparison is difficult at best. 
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Abstract. Dimension schemas are abstract models of the data hierar- 
chies that populate OLAP warehouses. Although there is abundant work 
on schema equivalence in a variety of data models, these works do not 
cover dimension schemas. In this paper we propose a notion of equiv- 
alence that allows to compare dimension schemas with respect to their 
information capacity. The proposed notion is intended to capture dimen- 
sion schema equivalence in the context of OLAP schema restructuring. 
We offer characterizations of schema equivalence in terms of graph and 
schema isomorphisms, and present algorithms for testing it in well known 
classes of OLAP dimension schemas. Our results also permit to compare 
the expressiveness of different known classes of dimension schemas. 



1 Introduction 

OLAP dimensions are data hierarchies that populate data warehouses. These 
entities are hierarchically organized information that define the perspective upon 
which the data is viewed. As an example, in a data warehouse we may have 
dimensions describing products, stores and time, which may be used to visualize 
the facts generated by a sales process. 

Figure 1 depicts a dimension that models financial services offered by a bank: 
accounts, credit cards and loans. On the left hand side of Figure 1, there is a 
graph called hierarchy schema which models the structure of the dimension. 
The vertices of this graph are called categories. On the right hand side, there 
is another graph, called hierarchy domain, whose vertices, called members, are 
grouped by categories and ordered by a child/parent relation. For example, in 
the dimension at hand, we may say that member pi belongs to the category 
Product and pi has dl as a parent in the category Department. 

In the dimension at hand, some types of products, like personal loans and 
some sorts of accounts, are handled by branches, whereas others, like mortgage 
and corporate loans, are handled by departments. Only the products in branches 
are classified through the hierarchy path Product-ProdType-ProdClass-All. 
There is a manager in charge of each branch and department. Finally, it happens 
that the Asia branch and all departments handle products in only one category; 
thus, their managers belongs to a member in ProdClass. 



D. Seipel and J.M. Turull- Torres (Eds.): FoIKS 2004, LNCS 2942, pp. 176-195, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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Fig. 1. The dimension Product: (A) hierarchy schema; (B) child/parent relation. 



1.1 Dimension Schemas 

A dimension schema is an abstract model of a dimension commonly used to 
support summarizability reasoning in OLAP applications [HM02], that is, to 
test whether aggregate views defined for some categories can be correctly de- 
rived from a set of precomputed views defined for other categories. A dimension 
schema, being an abstract representation of a dimension, represents the set of 
possible dimensions that conforms to it. This set reflects the information ca- 
pacity of the schema. Thus when we perform reasoning on the schema, we infer 
properties of all the dimensions in the set. 

A central drawback of traditional dimension schemas is that they do not 
account for structural heterogeneity. Such schemas model dimensions in which 
members in a category c should have a parent in every category directly above 
c, a condition we refer to as homogeneity. This restriction is unnatural since 
in many application domains the members of a category have parents (resp., 
ancestors) in different sets of categories. As an example, in the hierarchy domain 
of Figure 1 (B), some products are under branches while some others are under 
departments. 

In previous work [HM02] we introduced semantically rich dimension schemas 
to support summarizability reasoning in heterogeneous dimensions. In our set- 
ting, dimension schemas are modeled as a hierarchy schema along with a set of 
integrity constraints, called dimension constraints. The hierarchy schema rep- 
resents a set of links for the child/parent relation, that is, whenever we have a 
child/parent relationship between two members in two categories, the categories 
must be directly connected in the hierarchy schema. Dimension constraints are 
statements that specify legal paths allowed in the hierarchy domain. The con- 
straints are used to place further restrictions to let the schema capture more 
precisely different sets of dimensions. 

For example, we may require that all the products handled by some 
branch are not handled by departments, and vice versa. This is stated by 
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the constraint saying that each product can have ancestors in either the path 
(Product, Branch) or the path (Product, Department) , but not in both. Other 
constraints may express that the ancestor of some members rollup to mem- 
bers that form a particular path in the hierarchy schema. For example we 
model that “the manager of the Asia branch rolls up to a product class (be- 
cause the manager handles products that belong to a single product class)” 
as “( Branch = Asia) <t=> (Branch, Manager , ProdCdassY . The expressions in 
brackets are atomic statements (called atoms). It turns out that Boolean com- 
binations of atoms are needed to support summarizability reasoning [HM02]. 

Simple forms of these constraints characterize typical classes of 
OLAP schemas. For example, the condition of homogeneity of the 
edge (ProdType, ProdClass) can be expressed with the constraint 
(ProdType, ProdClass), which asserts that each product type belongs to 
a product class. In this sense, the class of schemas with dimension constraints 
subsumes other classes of schemas in OLAP (see Section 2.4) such as the 
dimension schemas of Jagadish el al. [JLS99], called in this paper canonical, 
which partially solves the limitations of traditional OLAP models by allowing 
several bottom categories, but keeping the homogeneity restriction. Canonical 
schemas allow unbalancedness, that is, they can have several bottom categories. 
In this form, members in different bottom categories may have ancestors in 
different hierarchy paths in the schema. 

Different classes of dimension schemas are classified in [Hur02] where for 
“traditional OLAP” we refer to the basic class of homogeneous schemas with a 
single bottom category (balanced schemas). 

1.2 Problem Statement 

Similarly to the case of general database schemas, two dimension schemas can 
be compared with respect to their information capacity. Schemas with the same 
information capacity can be used to simulate each other. In a typical modeling 
scenario the user starts with some schema and proceeds to restructure it. In the 
context of OLAP, it is very important that the restructuring process preserves 
schema equivalence because the schema is more useful for reasoning about data 
than it is just as a container of data. So we would like to keep the information 
on the schema as precise as possible to capture the set of instances as tight as 
possible. 

The goal of this paper is to study dimension schema equivalence in the con- 
text of OLAP schema restructuring. Formal notions of schema equivalence are 
fundamental to sit restructuring techniques on solid grounds. For example, Miller 
et al. [MIR94] argue that the restructuring task may be addressed following two 
different strategies: (i) build a desired schema and then test whether it is equiv- 
alent to the original schema; (ii) use a set of primitives to transform the original 
schema into a desired schema. In both approaches, we need to define under 
which conditions two dimension schemas are equivalent. In the first approach 
we need algorithms for the equivalence test. The second approach requires a set 
of well defined dimension transformations. The central desirable properties of 
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All 





Fig. 2. Product hierarchy schemas. 



such a set, soundness and completeness [AlbOO], depend on the notion of schema 
equivalence used as well. 

We cast the restructuring task as a process in which the structure of the 
dimension (i.e. its hierarchy schema) changes but its data hierarchy (hierarchical 
domain) does not. 

Example 1. Consider the hierarchy schemas shown in Figure 2. The three hier- 
archy schemas can be used to model the hierarchy domain of Figure 1. Hierar- 
chy schema (A) is the same as the one of Figure 1. Hierarchy schema (B) has 
Asia branch grouped with departments in a single category. Finally, in hierar- 
chy schema (C), the products (bottom members) are split into three categories: 
DeptProduct, AsiaBranchProduct, and BranchProduct , the branches are split 
into Branch and AsiaBranch, and the managers are split into the categories 
Dep&AsiaManager and BranchManager. Notice that the dimension having 
hierarchy schema (C) along with the hierarchy domain of Figure 1 is homoge- 
neous. 

Schema equivalence has been formalized by requiring the existence of a bijec- 
tive mapping between the instances of two equivalent schema [Hul86] . Example 1 
shows that a great deal of flexibility in OLAP dimension modeling can be cap- 
tured by restructuring processes in which members are reorganized into different 
categories but their hierarchy domain does not change. Thus at the schema level, 
the correctness of a restructuring process may be formalized by requiring the 
existence of bijective instance mappings between the schemas which preserve 
hierarchy domains. As members are associated with facts in datacubes, this 
mapping restriction guarantees that the aggregate data are preserved through 
different dimension instances in the restructuring process, thus avoiding aggre- 
gate data re-computations, and keeping users to browse aggregate data using 
the same hierarchy domain. 

Example 2. Consider the following dimension schemas. The dimension schema 
productA has the hierarchy schema of Figure 1 (A) along with the dimension 
constraints (a)-(d) of Figure 3. The dimension schema productB has the hier- 
archy schema of Figure 1 (B) along with the dimension constraints (a’)-(c’) of 
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(a) ( Product , Branch) © (Product, Department) 

(b) ( Product , Branch) •<=> (Product, ProdType) 

(c) (Department, Manager, ProdClass) 

(d) (Branch = Asia) -*=> (Branch, Manager, ProdClass) 

(a’) (Product, Dept&s AsiaBranch) © (Product, Branch) 

(b’) ((Product, Branch) V (Product, Dept&AsiaBranch = Asia) 
(Product, ProdType) 

(c’) (Dept&sAsiaBranch, Manager, ProdClass) 

(e) (c, c') for each edge (c, c') in the hierarchy schema 

(f) (AsiaBranch = Asia) 



Fig. 3. Dimension Constraints for the product hierarchy schemas. 



Figure 3. Finally, the dimension schema productC has the hierarchy schema of 
Figure 1 (C) along with the constraint (f) of Figure 3, and a constraint (c, d), for 
every edge (c, d) in the hierarchy schema. Observe that the products in schema 
productC are now split in three categories depending on where they roll up to 
(only to Department, to AsiaBranch and ProdType, etc.) 

The constraints make the different schemas equivalent (although we have not 
proved this yet). For example, constraints (c) and (d) of product A translate to 
(c’) in productB. 



1.3 Related Work 

There has been abundant work on OLAP dimension modeling over the past few 
years [CT97,HMV99,LAW98,PJE99,JLS99]. However, to the best of our knowl- 
edge, there are no studies regarding dimension schema equivalence. Several no- 
tions of schema equivalence for a variety of data models have been proposed. The 
most general notion of schema equivalence, absolute equivalence [Hul86] charac- 
terizes the minimum requirements that two schemas must satisfy in order for 
them to have the same information capacity. Absolute equivalence is formalized 
by requiring the existence of a bijection between the instances of the schemas. 
Any arbitrary mapping may be used to guarantee absolute equivalence. In ad- 
dition, the mappings are not required to be finitely specifiable (they can be an 
infinite list of pairs of schema instances) . A hierarchy of more restricted notions 
of equivalence has been proposed [Hul86]. For example: internal equivalence re- 
quires the existence of a bijection that neither creates nor destroy elements in 
the instances; query equivalence requires the mappings to be expressible in the 
query language of the data model. Other notions of equivalence and their testing 
have been studied for generic graph data models by Miller et al. [MIR.94] and 
nested data models [VL00]. Our notion of equivalence places minimum restric- 
tions to the instance mappings in order to let them capture all possible ways of 
grouping members into categories in a schema. 

A detailed description of the relationship of dimension constraints and the 
other constraints for OLAP and other data models is presented by Hurtado 
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[HGM03]. Next, we highlight the most important points in this respect. As 
explained in several papers (e.g., [JLS99,HMV99]) OLAP dimension may be 
modeled as a set of normalized tables, one for each category, containing the 
rollup mappings that start from the category, along with the the attributes of 
the category. Therefore dimension schemas may be formalized using a relational 
database setting. It is easily verified that dimension constraints are FOL con- 
straints; therefore, our entire framework is a fragment of FOL. Abiteboul et al. 
[AV97] study a class of FOL constraints called embedded constraints that for- 
malize a wide variety of constraints studied in the database literature. They 
essentially express that the presence of some tuples in the instance implies the 
presence of some other tuples in the instance or implies that certain tuple com- 
ponents are equal. Dimension constraints cannot be expressed with embedded 
constraints, since we cannot assert with them that “some tuples or some other 
tuples appear in the instance” , which are needed to characterize summarizability. 
Dimension Constraints restrict data in a similar fashion to disjunctive existen- 
tial constraints (dec’s) [G0I8I] (which are not embedded constraints). Disjunc- 
tive existential constraints are used to characterize the possible sets of non-null 
attributes that may occur in the tuples of a relation; conceptually, the possi- 
ble objects that are mixed in the relation. Another class of constraints along 
the same lines is presented by Husemann et al. [HLVOO]. These constraints can 
be easily represented with dimension schemas, and do not have the full ex- 
pressiveness of the Boolean connectives needed for summarizability reasoning. 
Path constraints [AV97,BFS98] allow describing certain forms of heterogeneity 
in semistructured data. They characterize the existence of paths associated with 
sequences of labels in semistructured data. However, path constraints also lack 
the entire expressiveness needed to characterize summarizability, and to describe 
the sort of heterogeneity arising in OLAP applications. On the other hand, path 
constraints are interpreted over data which have fewer restrictions in their struc- 
ture than OLAP dimensions, yielding to a different treatment and complexity 
of their inference. 



1.4 Contributions 

This paper presents the following contributions: 

A notion of equivalence, hierarchical equivalence, which allows comparison 
of dimension schemas with respect to their information capacity. 

A proof that hierarchical equivalence can be characterized in terms of graph 
and schema isomorphisms in two known classes of dimension schemas, called 
here canonical and balanced. The formal proof of this intuitive connection 
is non-obvious, as we show in Section 4. The result proves that canonical 
schemas are more expressive than balanced schemas, hence formally justify- 
ing the introduction of canonical schemas. 

A class of schemas -frozen schemas- that act as normal forms for dimen- 
sions schemas, in the sense that any dimension schema can be reduced via 
some well defined transformation to a unique (up to isomorphism) frozen 
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schema. It is proved that hierarchy equivalence test for frozen dimension 
reduces to a simple form of schema isomorphism. This result leads to other 
important property of dimension schemas, namely, that heterogeneous di- 
mension schemas can always be transformed into homogeneous schemas. We 
sketch an algorithm that performs such transformation in an efficient way, 
and study its complexity. 

- Complexity bounds and a study of algorithmic aspects of hierarchical equiv- 
alence testing. In particular, we present a characterization of hierarchical 
equivalence in terms of mappings between minimal dimensions instance con- 
tained by the schemas. This leads to an algorithm for testing hierarchical 
equivalence. We show that the algorithm is more efficient than testing hier- 
archical equivalence by reducing the schemas to frozen schemas. 



1.5 Outline 

The remainder of the paper is organized as follows. In Section 2 we review the 
main concepts related to schemas and state the notation. Section 3 introduces 
hierarchical equivalence and show its relation with balanced schemas. Section 
4 studies hierarchical equivalence of canonical schemas, and shows that in this 
context hierarchical equivalence corresponds exactly with graph isomorphism 
of the corresponding hierarchy schemas. In Section 5 we generalize this result 
to dimension schemas, that is allowing to compare different hierarchy schemas 
and constraints. The notion of frozen schema is introduced and studied, along 
with the algorithmic aspects of hierarchical equivalence are studied. Finally, in 
Section 6 we briefly conclude and outline further work. The complete proofs are 
presented in the full version of this paper [HG03] . 

2 Preliminaries 

2.1 Basic Graph Terminology 

A (directed) graph G is a pair of sets (V, E) where EC V x V. Elements v C V 
are called vertices and pairs ( u , v) C E (directed) edges', u and v are adjacent 
vertices. A path in G from v to w is a sequence of vertices v = vq, ... ,v n = w 
such that (uj,u,+i) £ E. We say that v reaches w. The length of a path is n. A 
cycle is a path with v = w. A dag is a directed acyclic graph. A sink in a dag is a 
distinguished vertex w reachable from every other vertex in the graph. A source 
in a dag is a distinguished vertex v from which every other vertex of the graph 
is reachable. A shortcut in a dag is a path of length > 1 between two adjacent 
vertices. Given a vertex v of G, an upgraph is the subgraph of G generated by v 
and all the vertices reachable from it. 

Given two graphs G = (V, E) and G' = (V',E'), a graph morphism is a func- 
tion <j> : V V' preserving edges, that is, (u,v) £ E implies (</>(«), <j>(v)) £ E' . 
The morphism (j> is called an isomorphism (resp. monomorphism, epimorphism) 
if (f> as a function is bijective (resp. injective, onto). 
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2.2 Dimension Instance 

Assume the existence of (possibly infinite) sets of categories C, and of members 

M. 

Definition 1 (Hierarchy Schema). A hierarchy schema is a dag H = (C, /'), 
where C C C, having a distinguished category All £ C which is a sink. 

Definition 2 (Hierarchy Domain). A Hierarchy domain is a dag h = ( M , <) 
where M C M, having a distinguished member all £ M which is a sink , and 
without shortcuts. 

The last condition in Definition 2 (no shortcuts) avoids redundancies (tran- 
sitive edges) in the representation of the data. 

Given a child/parent relation <, its reflexive and transitive closure, denoted 
<, is called rollup relation , and is a partial order between members. 

Definition 3 (Dimension Instance). A dimension instance d over a hierarchy 
schema ( C , /f is a graph morphism d : ( M , <) — > ( C , /f such that: 

1. (M, <) is a hierarchy domain; 

2. d(all) = All; 

3. x < y A x < z implies d{y) ^ d(z). 

The fact that d is a graph morphism in Definition 3 states that whenever 
we have a child/parent relationship mi < m 2 between some pair of members 
mi £ ci and m 2 £ C 2 , then there is an edge ci C 2 in the hierarchy schema 
representing links between categories Ci and C 2 . Condition 3 of Definition 3 is 
a basic restriction in OLAP data modeling [HMV99,CT97,LAW98], and states 
that the rollup relation < is functional (i.e., single valued) between every pair 
of categories. This motivates to introduce the rollup mapping between two cat- 
egories ci and C 2 of a dimension d , denoted /// d, which is the restriction of < 
to d _1 (ci) and d -1 (c 2 ). 

2.3 Dimension Schema 

Next we formalize the notions of dimension constraint and dimension schema. 

Definition 4 (Dimension Constraint). Let H = {C,/*) be a hierarchy 
schema, c £ C, K C M. The language of constraints (with root c) has the 
following atoms: 

1. Path atoms: (c, ci, • • • , c n ), where cci ■ ■ ■ c n is a path in H ; 

2. Equality atoms: (c, .., d = k), where d is such that there is a path from c 
to d , and k £ I\. 

A dimension constraint with root c is a Boolean combination <j> of atoms of 
the above kind. 

Dimension constraints consider the usual connectives A, V, =>, <t=>, and ® 
for exclusive disjunction. In addition, _L and T will denote the false and the true 
proposition, respectively. 
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Definition 5 (Semantics of Constraints). Let d : (M, <) — > (C,/*) be a 
dimension instance, and 4> a constraint with root c. Then d f= <f> if and only if 

for all m £ d~ 1 (c), d \= <f>[c/m\, 
where d |= (f>[c/m ] is defined recursively as follows: 

1. d \= (c, c\, , c n ) [c/to] iff there is a path mx i ■■■ x n in ( M , <) with d{xi) € 
Ci ■ 

2. d\= (c, ..,c' = k) [c/to] iff d(k) € d and m < k. 

3. d\= {(j> A ip)[c/m\ iff d\= (j>[c/m\ and d \= ip[c/m\. Similarly for V and the 
other Boolean connectives. 

Given a hierarchy schema H and two sets of constraints S, S' over H , we 
say that S is equivalent to S' , if for all dimension instances d over H it holds: 
d |= E iff d |= S'. 

Now we are ready to introduce the concept of Dimension Schema. The fol- 
lowing definition extends Definition 3 in the presence of constraints. 

Definition 6 (Dimension Schema). A dimension schema is a pair ( H,S ) 
where H is a hierarchy schema and S is a set of constraints. 

A dimension instance d over a dimension schema D = ( H , S) is a dimension 
instance d over H such that d\= S. The set of dimensions instances over D will 
be denoted by 1(D). 

Definition 7 (Schema Equivalence and Isomorphism). 

Let D = (H, S) and D' = (H' , S') be to dimension schemas. 

1. D and D' are equivalent, denoted D = D' , iff H = H' and S is equivalent 
to S'. 

2. D and D' are isomorphic, denoted D = D' , iff there exists a graph iso- 
morphism f •. H H' such that (f(H),f(S)) = (H’,S'), where f(S) stands 
for S modulo renaming by f . 

Notice that the notion of equivalence of Definition 7 implies isomorphism. 



2.4 Classes of Dimension Schemas 

The model we have presented subsumes the dimension models presented in the 
literature. The following definition formalizes two classes of dimension schemas 
that arise in OLAP. 

Definition 8 (Classes of Dimension Schemas). Let D = (H,S) be a di- 
mension schema. 

1. D is canonical iff H has no shortcuts and S is equivalent to {(c, c') | c /* 

c'}. 

2. D is balanced iff D is canonical and H has a source. 

A dimension instance d is homogeneous if for every pair of categories ci A 1 
C 2 it holds that the rollup mapping Tffd is a total function. Note that the 
constraint (c, c ') where c /* d forces the rollup mapping from c to c' to be 
total. Therefore, canonical schemas convey all the homogeneous instances over 
its hierarchy schema. In this sense, in canonical schemas, S captures exactly 
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homogeneity. Also notice that we have defined a canonical schema to be shortcut- 
free, because otherwise £ would force the categories from which the shortcut 
start to be empty in every dimension conveyed by the schema. Balanced schemas 
correspond to the basic class of schemas introduced in early works on OLAP. 
They are the logical representation of dimension schemas in early snowflake 
schemas [CD97]. Canonical schemas were introduced by Jagadish et al. [JLS99] to 
overcome some of the weaknesses of balanced schemas. Canonical schemas allow 
unbalancedness, that is, they can have dimension instances with two members 
in the bottom categories having ancestors in different sets of categories. This has 
been shown to be an important feature to provide flexibility in OLAP modeling. 

Example 3. If we delete the constraint (f) to the dimension schema productC 
described in Example 2, the schema turns into a canonical schema. 

Given two classes of schemas S'i, 5 2 , we define Si C S 2 iff for each schema 
in Si, there is an equivalent schema in S 2 . Then it holds Balanced Schemas C 
Canonical Schemas C Dimension Schemas, and the inclusions are proper. 

3 Hierarchical Equivalence 

In this section we present the notion of hierarchical equivalence in which dimen- 
sion schemas are related via mappings that preserve the hierarchy domain of the 
dimensions. 

Observe that the notion of schema equivalence of Definition 7 does not al- 
low us to compare schemas having different hierarchy schemas. The following 
definition generalizes Definition 7 for schemas over arbitrary hierarchy schemas. 

Definition 9 (Hierarchical Equivalence). Two dimension schemas D and 
D' are hierarchically equivalent (h-equivalent) if and only if there is a bijective 
function f : 1(D) — > I(D') such that for all d € 1(D), dom(d) = dom(f(d)). In 
this case we write D=hD' . 

Observe that the relation =/, is an equivalence relation. Also, it is worth not- 
ing that the instance mapping / required for lr-equivalence is internal [Hul86], 
i.e., it does neither create nor destroy members or constants in the instances. 
Moreover, the mapping is generic [Hul86], that is, given a pair of dimension 
instances d and d' with d! = f(d), if we apply the same permutation 7 r of mem- 
bers to d and to d! , if 7r (d) is in the domain of / then n(d') = f(n(d)). Thus, 
hierarchical equivalence is a more restricted notion than internal and generic 
equivalence. 

Example f. Consider the dimension schemas D\ = (A, £ i), Z ? 2 = (B, £ 2 ) and 
Z ?3 = (C, £3), where A , B , C are the hierarchy schemas in Figure 4, £\ = £3 = 0 
and £2 = {->(e, /) V — >(e, < 7 )}. Then D [ = h D 2 via mapping the members of c to 
/, the members of d to g , and the members of a and b to e. However, it is not 
the case that D\=hD 3 . Indeed, given a member m, there is a unique dimension 
instance in /(D 3 ) whose child/parent relation is {m < all}, but there are two 
dimension instances in Z(Z) 2 ) whose child/parent relation is {m < all}. 
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Fig. 4. Three hierarchy schemas. 



It is not difficult to check that if D = D' then D= h D' . We end this section 
by showing that it is straightforward to show that the converse also holds for 
balanced schemas. 

A dimension instance d is exact if d is bijective. It is easily verified that all 
canonical dimension schemas have an exact dimension instance. 

Theorem 1 (h-Equivalence of Balanced Schemas). Two balanced dimen- 
sion schemas D = ( H , £) and D' = ( H ' , S') are h-equivalent if and only if H 
and H' are (graph) isomorphic. 

Proof. (Sketch.) One direction is obvious. 

Assume that D=hD' via /. Consider an exact dimension d of ( H , S). Then as 
graphs H = dom(d) = dom(/(d)). Now, because D' is balanced there is a (graph) 
monomorphism /i : dom(/(d)) — > H' with /i(all) = All (if \x(v) = \i(w) for 
v ^ w, the source of dom(/(d)) would have two ancestors in the same category, 
violating condition 3 of Definition 3.) Hence there is a monomorphism H — > H' . 
By the same argument on the reverse direction, there is a monomorphism H' — > 
H. Hence because H,H' are finite graphs, H = H' . □ 



4 Hierarchical Equivalence of Canonical Schemas 

This section extends the results of Theorem 1 to canonical dimensions. The im- 
portance of this result is twofold: (1) The notion of h-equivalence has a simple 
and intuitive characterization as graph isomorphism in canonical schemas (this 
result is stated in Theorem 2 in this section). (2) From Theorem 2, it follows that 
canonical schemas are strictly more expressive than balanced schemas (because 
given a canonical and not balanced schema there is no balanced schema isomor- 
phic to it.) So we have now a formal argument that justifies the introduction of 
canonical schemas for OLAP modeling. 

First, observe that the argument in the proof of Theorem 1 does not neces- 
sarily work for canonical schemas (there could be no injective /i). 
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Fig. 5. Two hierarchy schemas. 



Example 5. Let D and D' be the dimension schemas of figures 5 (A) and 5 (B), 
respectively. We define y as in the proof of Theorem 1. Here, however, /i is not 
necessarily bijective. In particular, it could be the case that h(d), where d is the 
exact dimension of D, is a dimension whose non-empty categories are a, c, e, 
and All. And therefore, y could not be injective. 

The following is the main result of the section. We need the following nota- 
tion: a dimension d is complete with respect to a subgraph H' of its hierarchy 
schema if ran(d) = H' . 

Theorem 2 (h-Equivalence of Canonical Schemas). Let D = (H,H) and 
D' — ( H ', £') be two canonical schemas. Then, D=hD' if and only if H is 
(graph) isomorphic to H’ . 

Proof. (Sketch.) Let us sketch the non-trivial direction of the proof. Let H = 
( C , /*) and H' = ( C' , / A ’) and / : 1(D) — > I(D') be the bijection given by =h- 

(*) Let g?i : ( M , <) — > H be an exact dimension of D (hence H = (M, <)). 
Let f(d\) : ( M , <) — > H' be the image of d\ under / (by hypothesis f(d\) has 
the same domain as d\). Let d\ be an exact dimension of f(d\)(M). Let be an 
exact dimension of f~ 1 (d' 1 ). Continue this process until Hi = Im(d;) = hn(d') = 
H(. Denote by pi this isomorphism. Note that Hi is well defined because the 
process terminates by a graph theoretic argument. 

For each dimension instance d : Mi — »• H with d(Mf) = Hi do: Redefine / by 
performing the following operations: y := f(d)\ f(d) := (pio d)\ f f^ 1 (ni°d) := y. 
Recall from Section 2 that an instance d takes its domain from a possibly infinite 
set M. Here we assume that the set M is finite, hence the loop ends. The 
extension to the infinite case is straightforward. It is easily verified that at the 
end of this process we will have that for all complete d of H i, it holds that 
f(d) = (yi o d). Call /i this new /. 

Now we repeat the whole process starting from (*) with fi. This process 
generates a Hi,H’ 2 and a new / 2 . 

Observe that 7 ^ Hi, because otherwise there must be a complete dimen- 
sion d of Hi which is not mapped to the complete dimension (yi o d) via fi- 

By repeating this process we generate a series (Hi,H[,fi), (H 2 , H' 2 , / 2 ), . . . 
This series has the property Hi ^ Hj for i ^ j by an argument similar to the 
case i = 1. Finally just note that this series must be infinite, but there are only 
finitely many subgraphs of each hierarchy schema, a contradiction. □ 
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Fig. 6. A series of matchings illustrating proof of Theorem 2 



The following examples illustrates the main idea of the previous proof. 

Example 6. Let D and D' be the dimension schemas of Figures 5(A) and 5(B). 
Clearly they are not graph isomorphic. Assume that D=hD' via an instance 
mapping /. Figure 6 depicts, on the top, the triple (Hi, H[, ff), and in the 
bottom (H- 2 - H! 2 , / 2 ), in a possible sequence generated in the proof for D and 
D' . The map fi sends the complete dimension of the subschema underlined to 
the one underlined in H[. Similarly for f 2 . This property forces the schema H 2 
(resp. H' 2 ) to be different from H\ (resp. H(). This series is infinite, but it can be 
checked now that there is no next triple (H%, H r 3 , fa), yielding a contradiction. 
Hence D^ h D' . 



5 Hierarchical Equivalence of Dimension Schemas 

In this section we present a characterization of hierarchical equivalence for di- 
mension schemas, which yields an algorithm for testing hierarchical equivalence. 
The characterization will be based on another notion of equivalence, which is 
defined in terms of mappings between finite sets of minimal dimensions conveyed 
by the schemas called frozen dimensions. 

5.1 Frozen Equivalence 

We introduce a notion of equivalence, frozen equivalence , defined in terms of 
injective mappings between special kinds of dimension instances, called frozen. 
Intuitively, a frozen dimension is a minimal dimension conveyed by a dimension 
schema. Frozen dimensions were introduced in previous work [HM02] to test im- 
plication of dimension constraints. In order to test whether a dimension schema 
satisfies a dimension constraint a, we only need to check a in each frozen di- 
mension of the schema, which yields a finite set of tests (exponential in the size 
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of the schema). In this section we use the notion of frozen dimension for giving 
an algorithmic version of h-equi valence. 

Let D = (H,E) be a dimension schema, we denote by Const£>(c) the set of 
constants k that occur in atoms of the form (a, .., c = k) in E. 

Definition 10 (Frozen Dimension). Given a dimension schema D and c £ 
C, a frozen dimension with root c is a dimension instance d : (M, <) — > ( C , <) 
of D such that: 

1. d is injective (i.e., each category has at most one member); 

2. d _1 (c) is a source of(M,<); 

There could be infinitely many frozen dimensions, but there are only finitely 
many up to isomorphism, where isomorphism is defined as follows: d is isomor- 
phic to d! iff there exists a graph mapping / : (M, <) (M\ <') such that 

d = d 1 o /, and if k € Const d{cj) and d(k) = Cj = d'(k), then f(k) = k. 

From now one, we will consider frozen dimensions up to isomorphism. Given 
a dimension schema D and a category c of it, we denote by Frozen(D, c) the set 
of frozen dimensions of D (up to isomorphism) with root c, and by Frozen(D) 
the union of all Frozen(D,c) for all categories c of D. 

Example 7. Figure 7 (top) shows three subgraphs of the hierarchy schema of 
the schema product A (given in Example 2). Each subgraph is induced by non- 
empty edges of a frozen dimension of productA with root Product. Intuitively, 
the frozen dimensions show the different structures that are mixed in the schema 
productA. Recall that frozen dimensions are dimension instances, but due to lack 
of space we do not show them directly. 

The following notion of equivalence compares the information capacity of 
two schemas D and D' based on the frozen dimension they convey. To compare 
D and D' we establish a correspondence PI between their sets of categories and 
then check that it induces a bijective relation between their frozen dimensions. 
Definition 11 (Frozen Equivalence). Let D = ( H , E) and D' = (H r , E') be 
dimension schemas, where H = (C,/*) and H' = (C",/ 71 '): 

Two frozen dimensions d G Frozen(D) and d ' £ Frozen (£)') are isomorphic 
iff there exists a graph isomorphism f : (M, <) — > (M ' , <') such that if c £ C 
and k £ Const£>(c), then f(k) = k. Notice that f induces a isomorphism f : 
Im(d) Im(d'). 

Let fi C C x C' be a category correspondence. An fi-frozen relation Tq C 
Frozen(D) x Frozen(D') is defined as the set of pairs id,d') related by an iso- 
morphism f : d d! such that f C f2. 

Two schemas D and D' are frozen equivalent (in the sequel f-equivalent) if 
there exists a bijective PI -frozen relation from Frozen (D) to Frozen(D'). 
Example 8. Consider the dimension schemas productA and productB, 
and a category correspondence PI between them having the pairs 
of categories ( Department , Department&zAsisBranch), ( Branch , 

DepartmentSzAsisBranch) and a pair (c, c) for each category c in both 
schemas. The f?-frozen relation between the sets Frozen(productA) and 
Frozen(productB) is showed in Figure 7. (the figure only shows the frozen 
dimensions with root Product.) 
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Fig. 7. Frozen Relation between the frozen dimension of productA and productB. 



Proposition 1 (f-Equivalence implies h-Equivalence). Let D and D' be 

two dimension schemas. If D and D' are f- equivalent, then D and D' are h- 
equivalent. 

The proof of this Proposition builds a bijective mapping f : 1(D) I(D') 

using the bijective frozen relation. Intuitively, if there is a 1-1 frozen relation 
(induced by some category correspondence between the schemas) then we can 
also define a 1-1 instance mapping between the instances of schemas. In Section 
5.2 we will state the converse and sketch its proof. 

5.2 h-Equivalence and f-Equivalence 

In this section we show that h-equivalence implies f-equi valence. This result along 
with Proposition 1 shows that f-equivalence characterizes h-equivalence. 

Firstly, we will introduce frozen schemas, dimension schemas that are normal 
forms, in the sense that every dimension schema is lr-equi valent to a frozen 
schema. 

Definition 12 (Frozen Schema). A frozen schema is a dimension schema D 
such that each category c in D has a unique frozen dimension d and Im(d) is 
exactly the upgraph of c. 

The following are some basic properties of frozen schemas: their dimension 
instances are homogeneous; they do not have shortcuts; and they subsume canon- 
ical schemas. 

Example 9. The dimension schema productC given in Example 2 is a frozen 
schema, because its constraints cause each category c to have a single frozen 
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dimension with root c. The category AsiaBranch is the only category whose 
frozen dimension has a constant (Asia). Schemas product A and productB are 
not frozen schemas since they convey several frozen dimensions with the category 
Product as root. 

Next, we show that testing h-equivalence of frozen schemas defined over the 
same set of constants reduces to testing whether the schemas are isomorphic. 
This result generalizes Theorem 2 because canonical schemas are frozen schemas. 

Note that two isomorphic frozen dimension must have the same set of con- 
stants. We will say that two frozen schemas are normalized w.r.t. a set of con- 
stants if for all c £ C and d £ C' it holds Const£>(c) = Const£>,(c'), i.e. , their 
equality atoms mention the same constants for each category. 

Theorem 3 (h-Equivalence of Frozen Schemas). Let D and D' be two nor- 
malized frozen schemas. Then D and D' are h.-equivalent. iff they are isomorphic 
(i.e., D= h D’ iffD^D'). 

The proof is a generalization of the proof of Theorem 2. This theorem also 
shows that dimension schemas are more expressive than canonical schemas be- 
cause some frozen schemas are not isomorphic to any canonical schema. That 
is, there are dimension schemas for which there are no lr-equivalent canonical 
schemas. 

Finally, we prove the main result of this section. 

Theorem 4 (h-Equivalence of dimension Schemas). Let D and D' be two 

normalized frozen dimension schemas. Then D and D' are f -equivalent iff they 
are h-equivalent. 

Proof. (Sketch.) One direction is Proposition 1. 

So assume that D and D' are h-equivalent. First define a schema trans- 
formation that takes D and produces a frozen schema Df h-equivalent to D. 
The transformation works as follows: (1) Compute the frozen dimensions of D 
using the DIMS AT algorithm presented in previous work [HM02]; (2) Reverse 
the graph (C, /'') and do a topological sort of the resulting graph. (3) Follow 
the topological sort, and for each category c with more than one frozen dimen- 
sion, split c into ci, . . . ,c n (preserving adjacent edges). Add constraints to the 
schema in order to have a single frozen dimension in each category ci, . . . , c„. 
This process yields a new dimension schema with a single frozen dimension in 
each category; (4) For each category Cj of the schema delete adjacent edges that 
do not match the frozen dimension. 

Each split in step (3) induces induces the following category correspondence 
between the hierarchy schemas before and after the split: (c, Cj) for all 1 < j < n, 
and for the remaining categories d that appear in both hierarchy schemas we 
have (c, d). It is not difficult to verify that this category correspondence induces 
a bijective frozen relation between the old and the new schema. By composing 
these frozen relations we get a bijective frozen relation between D and Df. 

In the same manner, we built a frozen schema D ^ and a bijective frozen 
relation between D' and Df. Hence, we have bijective frozen relations D — >■ Df 
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and D' — > D'j.-. Also, from Theorem 3 we know that Df = D'f via some p. From 
p we can derive a bijective frozen relation between D f and D'f . Composing these 
relations we derive the statement of the theorem. □ 

Example 10. The bijective frozen relation of Figure 7 shows that the schemas 
productA and productB of Example 2 are h-equivalent. By a simmilar proce- 
dure it can be easily verified that schema productC is h-equivalent to schemas 

productA and productB. 



5.3 Transforming Dimension Schemas into Homogeneous Schemas 

From the proof of Theorem 4 it follows that any dimension schema can be 
transformed into a hierarchically equivalent homogeneous schema. In Figure 8 
we sketch an algorithm to perform such a transformation. 

The algorithm outputs dimension schemas having the constraints that state 
the homogeneity condition. The schemas may also have additional constraints 
with equality atoms. Path atoms other than the ones that state the homogeneity 
condition are irrelevant for the resulting schemas because a path atom is either 
1 or T in every instance of a homogeneous schema. In Line 2 the algorithm 
computes the set of frozen dimensions of D. In Line 5, for each category c of 
D and subset S of categories directly above c, the algorithm adds to H a new 
category CatName(n) (the function CatName(n) returns a name for a new category 
when a integer n is given) connected to the categories that are connected to c; 
then, the set of frozen dimensions F is updated in order to keep them consistent 
with the fact that the new category CatName(n) represents the members that 
have parents only in categories in S. In Line 10 the algorithm does a traversal 
of the set F deleting empty edges in the hierarchy schema, and adding to S' 
equality atoms associated to the constants that appear in F. In this step the 
algorithm also adds the constraints of the form (c, c') (homogeneity constraints) 
for each edge (c, c') in the resulting hierarchy schema. 

In previous work [HM02] we provided an algorithm to compute the set of 
frozen dimensions of a schema in exponential time on the size of the schema. 
Thus, we can prove: 

Proposition 2. Assume the set of frozen dimensions of a schema are computed, 
then the algorithm of Figure 8 runs in time 0(NF2 n ), where N is the size of 
the hierarchy schema, and F is the number of frozen dimensions. 

5.4 Algorithmic Aspects of Testing Hierarchical Equivalence 

From the proof of Theorem 4, we can derive an algorithm for testing In- 
equivalence and prove that this problem is decidable. The naive application of 
the procedure in the proof yields a double exponential time algorithm. In fact, 
we can test whether D=hD' in the following two steps: (1) apply the transfor- 
mation in step (4) in the proof to transform D into D f and D' into D'p and (2) 
test whether Hf is graph isomorphic to LA), where Hf (resp. H'f ) is the hierarchy 
schema of Df (resp. D ’f). 
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Input: A dimension schema D = ( H , E) 

Output: A homogeneous dimension schema D' , such that D is h-equivalent to D' 

(1) Let Cini be the set of categories of D, Eh := 0; T := 0; n : = 0 

(2) Compute the set of frozen dimensions F of D 

(3) For every category c € Cini do 

(4) For every non-empty set S of categories connected from c do 

(5) Split c into CatName(n) and c in H 

(6) For each frozen dimension / of F, if f \= A CiS s( c >Ci) A A{ c . :<v * c }\s( c ’ c i) 

then rename c with CatName(n) in /; 

(7) n := n + 1 

(8) EndFor 

(9) EndFor 

(10) Scan the set F deleting the empty edges from H and adding 
equality and homogeneity constraints to E’ 

(11) Return (H, E') 

End 



Fig. 8. Algorithm that transforms a dimension schema into an h-equivalent homoge- 
neous schema. 



The number of categories in the frozen schemas is in 0(n2 n K), where n is the 
number of categories and K is the number of constants mentioned in the schema. 
This bound is the order of the number of splits used in each transformation. 
Essentially, we may have as many categories in the resulting schema as frozen 
dimensions in the original schema. Since the size of Df (resp. D'^) is exponential 
in the size of the initial schema D (resp. D') we get the stated bound due to the 
test in 2. 1 

The following result shows that the problem is hard. 

Theorem 5 (Testing h-Equiv.). Testing whether two dimension schemas D 
and D' are h-equivalent is co-NP hard. 

The proof is a reduction of VALIDITY (given a proposition P, is P satisfied 
by all truth assignments?) to this problem. 

We end this section by sketching an exponential time algorithm for testing 
lr-equi valence: (1) compute the frozen dimensions of D and D’\ and (2) for every 
binary relation between categories, test whether it induces a bijective frozen 
mapping. 

Step 1 can be done in exponential time on the size of the schema. (See [HM02] 
for detailed bounds.) The number of binary relations between categories we need 
to test in Step 2 is 0(2™ ). For each such relation, we have to compute the 
induced frozen relation R , i.e. we need to test for each pair of frozen dimensions 
d £ Frozen(O) and d' £ Frozen(O') whether (d,d') £ R. This test can be done 

1 DAG isomorphism is graph isomorphism complete. Recall that the “exact” complex- 
ity of deciding whether two graphs are isomorphic is still not known. The problem 
has neither been proved to be NP complete nor in P. 
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in 2" 2 operations of 0(n) steps each, since we need to check at most 2” 2 possible 
isomorphisms between d and d! . Also, we have to perform one test for each pair 
of frozen dimensions d and d' . Since the number of frozen dimensions of a given 
schema is exponential in the size of the schema, Step 2 can be accomplished in 
time exponential on the size of the schemas. 

6 Conclusion and Further Work 

In this paper we have presented a series of results that give conceptual insights 
into the problem of modeling OLAP dimension schemas. In particular, our frame- 
work: allowed us to compare different classes of dimension schemas introduced 
in a variety of OLAP models; and provides a formal basis to further research on 
schema restructuring in OLAP warehouses. 

Dimension schemas enriched with dimension constraints give users flexibility 
to choose among several options the best suited for the application at hand. 
Further work needed to turn this flexibility into practical OLAP applications 
includes the definition of normal forms, restructuring operators, and implemen- 
tation issues. 
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Abstract. It has been shown that, despite the differences in approach 
and interpretation, all belief function based models without the so- 
called dynamic component lead essentially to mathematically equivalent 
theories - at least in the finite case. In this paper, we first argue that at 
the logical level these models seem to share a common formal framework 
and various interpretations just come at the epistemic level. We then 
introduce a framework for belief modeling formally based on Dempster’s 
structure with adopting Smets’ view of the origin of beliefs. It is shown 
that the proposed model is more general than previous models, and 
may provide a suitable unified framework for belief modeling. 

Keywords: Transferable belief model, Uncertainty, Dempster-Shafer 
theory, Propagable belief model. 



1 Introduction 

Dealing with uncertainty is a fundamental and unavoidable issue in AI re- 
searches. Undoubtedly, the Bayesian approach is the most widely- used approach 
to dealing with uncertainty. Although the Bayesian approach is strongly sup- 
ported by relying on well-established techniques from probability theory as well 
as some philosophical justification, it has been widely criticized in the literature. 
So far numerous other approaches to dealing with uncertainty have been pro- 
posed, including Dempster-Shafer theory [2,22], the transferable belief model [24, 
28], the probability of modal propositions [21], various nonstandard and fuzzy 
logics [16,10,32], and the context model [7], among others. Of particular interest 
to us in this paper is based on the Dempster-Shafer-Smets model 1 . 

From a mathematical point of view, a belief function can be treated as a 
mathematical object satisfying a certain set of axioms. Especially, the axioms for 

1 This name is used in [7] to reflect Smets’ “non-probabilistic” view of using belief 
functions (including Dempster’s rule of conditioning and Dempster’s rule of combi- 
nation) to model someone’s belief. 
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belief functions can be viewed as a weaker form of the Kolmogorov axioms that 
characterize probability functions. Under such a view, a number of authors have 
tried to characterize a belief function as a generalized probability function [5,6] 
or in terms of probability functions [2,3,23]. On the other hand, belief functions 
have been also used to model someone’s belief originated back to Shafer [22], In 
belief modeling using belief functions, there are various views, even contrast, of 
the origin of beliefs. These have resulted in so many various interpretations of 
Dempster-Shafer theory and, at the same time, opened to criticism [29]. This 
paper does not aim at being a deal of debate regarding the existing approaches 
to belief modeling, also not presenting another interpretation of belief functions. 
Our main concern is on belief modeling itself. To this end, we adopt Smets’ 
view of the origin of beliefs in the transferable belief model, inasmuch as it is 
not only based on a well-established axiomatic justification, but also supported 
by practical basis when someone intends to model subjective, personal beliefs. 
For example, in a medical diagnostic situation, it is easier and realizable for 
You, the doctor, to give basic belief masses on subsets of symptoms that may 
cause the unknown disease rather than to give (subjective) probabilities on single 
symptoms, even though such probabilities may exist 2 . On the other hand, we are 
highly motivated by the fact that the notion of a multi-valued mapping may be 
a good mathematical tool for representing human beings’ cause- and- effect view 
of reality. Thus our approach is based on Dempster’s structure, but according 
to Kohlas and Monney’s view of the multi-valued mapping [13] . 

In the next section we will briefly present necessary notions from the 
Dempster-Shafer theory of evidence. Some belief function based models are re- 
called and analyzed in Section 3. We would like to emphasize that the model 
introduced in this paper should not be considered as a formally generalization 
of previous models, even though it may be. Thus not all interpretations of belief 
functions are analyzed here (see [29] for the details), but only models that we 
have been guided by our purpose are mentioned. A full description of the model 
for beliefs representation can be found in [22]. Other models can be found in, 
e.g. [21,20,15] for the modal logic based interpretation; [17] for the random set 
based interpretation; [7,11] for the context model. In Section 4 we introduce the 
so-called propagable belief model, and conditioning as belief revision with cer- 
tain evidence versus the one with uncertain evidence will be analyzed via the 
well-known tree prisoners problem. Finally, some concluding remarks and further 
work will be presented in Section 5. 



2 Dempster-Shafer Theory of Evidence 

We recall in this section necessary notions from the Dempster-Shafer theory of 
evidence (DS theory, for short). The theory aims at providing a mechanism for 
representing and reasoning with uncertain, imprecise and incomplete informa- 

2 Note that this does not exclude the possibility of using correct probabilities whenever 
available. 




198 V.N. Huynh et al. 



tion. It is based on Dempster’s original work [2] on the modeling of uncertainty 
in terms of upper and lower probabilities induced by a multi-valued mapping. 

A multi-valued mapping P from space 17 into space 0 associates to each 
element w of 17 a subset P(u>) of 0. The domain of T, denoted by Dom(P), is 
defined by 

Dom(T) = {w£ 17| r(ui) ^ 0}. 



From a multi-valued mapping P, a probability measure P on 17 can be propa- 
gated to 0 in such a way that for any subset T of 0 the lower and upper bounds 
of probabilities of T are defined as 



P*(T) = 


P( r *( T )) 


(1) 


P(Dom(r)) 


P*{T) = 


p(r*(T)) 


(2) 


P(Dom(P)) 



where 

P*(T) = {lo £ 17|u> £ Dom(P) A P(u>) C T}, 

r*(T) = {w £ /2|P(w) flT^0}. 

Clearly, P*,P* are well defined only when P(Dom(P)) ^ 0. 

Remark 2.1. The equations (1) and (2) can be represented in the terms of con- 
ditional probabilities as follows 

P*(T) = P(P*(T)|Dom(P)), P*(T) = P(P*(T)|Dom(P)) (3) 

This presentation suggests us the idea of a new interpretation of conditional 
beliefs presented in Section 4. 

Furthermore, Dempster also observed that, in the case that 0 is finite, these 
lower and upper probabilities are completely determined by the quantities 

P({w £ !7|P(w) = T}), for T £ 2 e . 

As such Dempster implicitly gave the prototype of a mass function also called 
basic probability assignment. Shafer’s contribution has been to explicitly define 
the basic probability assignment and to use it to represent evidence directly. Si- 
multaneously, Shafer has reinterpreted Dempster’s lower and upper probabilities 
as degrees of belief and plausibility respectively, and abandoned the idea that 
they arise as lower and upper bounds over classes of Bayesian probabilities [22] . 
Formally, the definitions of these measures are given as follows: 

1. A function bel : 2 e — > [0, 1] is called a belief measure over 0 if 
Bl. bel(%) = 0, bel(0) = 1 
B2. For any finite family {Ai}” =1 in 2 e , 

bel{ U A t ) > (— l)l / l +1 6e/( n A;) 

2—1 Z ' 2£l 

0^JC{1,... ,n} 
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2. A function pi : 2 0 — > [0, 1] is called a plausibility measure if 
PL pl{%) = 0 ,pl(9) = 1 
P2. For any finite family in 2 0 , 

pl{ n Ai) < V (-1) |/|+ V( U At) 

i — 1 *■ — ' ie/ 

0A/C{1,... ,n} 

It should be noted that belief and plausibility measures form a dual pair, namely 
pi (A) = 1 — bel(A), for any A £ 2 0 

In the case of a finite universe S, a function m : 2 0 — > [0, 1] is called a basic 
probability assignment if m(0) = 0 and 

Y m (^) = 1 

Ae 2 e 

A subset A £ 2 0 with m(A) > 0 is called a focal element of m. The difference 
between m(A) and bel(A) is that while m(A) is our belief committed to the 
subset A excluding any of its proper subsets, bel(A) is our degree of belief in A 
as well as all of its subsets. Consequently, pl(A) represents the degree to which 
the evidence fails to refute A. Furthermore, the belief and plausibility measures 
are in an one-to-one correspondence with basic probability assignments. Namely, 
given a basic probability assignment m, the corresponding belief measure bel and 
its dual plausibility measure pi are determined by 

bel (A) = Y, m(B) 

P l ( A ) = Y 

Conversely, given a belief measure bel, the corresponding basic probability as- 
signment m is determined via Mobius inversion as follows 

m(A) = ^ (- l)A\ B \he l ( B ) 

BCA 

In the next section we will briefly present several various interpretations of 
the DS model, namely Kohlas and Monney’s hint model [14], Fagin and Halpern’s 
model [5] and Smets’ transferable belief model [28]. In this paper we ourselves 
confine the consideration to only the finite structures. 

3 Belief Function Based Models 

Since Shafer introduced the model in the seminal work “A Mathematical Theory 
of Evidence” [22], many interpretations of it have been proposed. According to 
Smets [29], any model for belief has at least two components: one static that 
describes our state of belief, and the other dynamic that explains how to update 
our belief given new pieces of information. It has been clear that by restricting 
to the static component, various models for belief, despite the differences in 
approach and interpretation, lead essentially to mathematically equivalent forms. 
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3.1 The Hint Model 

The hint model proposed by Kohlas [12] and developed further by Kohlas and 
Monney [13,14] begins with Dempster’s original structure (12, P, P, 0) where 17 
and 0 are two sets, P is a probability measure on 17 and P is a multi-valued 
mapping from 17 into 0. 

The authors assume a certain question, whose answer is unknown. The set 0 
called the frame of discernment is the set of possible answers to the question. One 
and only element of 0 is the correct answer but unknown. 17 is interpreted as the 
set of possible interpretations allowed from the light of the available information. 
Exactly one of the elements to £ 17 must be the correct interpretation, but 
it is unknown which one. Furthermore, the assumption that not all possible 
interpretations are equally likely induces the known probability measure P on 
17. In the simplest case, one can assume that if to is the correct interpretation, 
then the correct answer 6 must be within some nonempty subset P(iu) of 0, the 
focal set of the interpretation. Alternately, for any possible interpretation u>, the 
family S(u) of the subsets of 0 (considered as propositions) implied by u> can 
be considered. S(u) called a filter is simply the family of supersets of the focal 
set r(u>) and has the following properties: 

(1) H £ S{o) and H C H' imply H' £ S(to). 

(2) H\,H 2 £ 5(w) imply Hi fi H 2 £ S(to). 

(3) 0 belongs to S(io), 0 does not belong to S(w). 

Furthermore, one can also look at the family V{to) of the propositions which 
are possible under lo. That is, a subset H of 0 is considered as possible if H 
does have a nonempty intersection with the focal set F(w). The family V{to) has 
the following properties: 

(1’) H £ P(w) and H C H' imply H' £ P(w). 

(2’) Hi, H 2 £ T{(o) imply Hi U H 2 £ V{lo). 

(3’) 0 belongs to V{to), 0 does not belong to V{to). 

Under such an analysis, the quadruple H = (17, P, P, 0) is called a hint. 

Now if a proposition H C 0 is fixed as a hypothesis about the correct answer, 
then this hypothesis should be judged in the light of a hint H. That is, one can 
look at the subsets of interpretations under which H is implied, u(H), or possible, 
v{H) 



u(H) = {lo £ f2\H £ S(w)} , . 

v(H) = (w £ n\H £ P(w)} W 

Then the degree of credibility (or support), denoted by sp(H), and the degree of 
plausibility, denoted by pl(H) are defined as follows 

sp(H) = P(u(H)) , . 

pl{H) = P(v{H)) [ 1 

As such the hint model is based on Dempster’s original approach and in this 
model degrees of supports (or equivalently, beliefs) are deduced from a filter- 
valued mapping and a probability measure on the space of possible interpreta- 
tions. 
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Remark 3.1. (i) In the hint model one may implicitly assume a propositional 
language Cq that is derived from the question of concern and is semantically 
interpreted by the Boolean algebra of 2® . The filter- valued mapping induced 
from r plays an important role in forming credibility in the light of a hint. 
Thus, at the logical level a hint may be seen as a quadruple (J7, T, <9, £e). 
(ii) In our opinion, the assumption “not all possible interpretations are equally 
likely” is not always available in general, once it is available it should be 
considered as the supplemental information and then the probability measure 
P on L? is added to the hint to quantify degrees of credibility in the light 
of the hint. Furthermore, although a probability function is assumed on 17, 
the hint model does not explicitly assume there is a probability function on 
0 as upper and lower probabilities model does. Thus the hint model may 
be considered as a logical based interpretation associated with supplemental 
probabilistic information of the DS model. 

3.2 Fagin and Halpern’s Model 

In [5] Fagin and Halpern introduced a new probabilistic approach to dealing 
with uncertainty by using the standard mathematical notions of inner measure 
and outer measure induced by the probability measure [8]. Interestingly, inner 
measures induced by probability measures turn out to correspond in a precise 
sense to DS belief functions. The model is interpreted as follows. 

Let <P = {pi,... ,p n } be a finite set of primitive propositions thought of 
as corresponding to basic events concerning with the situation we want to rea- 
son about. The set C (<!>) of propositional formulas is the closure of under the 
Boolean operations A and -i. For convenience we assume also that there is a spe- 
cial formula true, and we abbreviate -> true by false. To get mutually exclusive 
events, we can consider all the formulas of the form p[ A . . .p' n called atoms 3 , 
where p\ is either p- L or -i p t . Let At denote the set of atoms over <P. 

In Nilsson’s probabilistic logic [16], a probability distribution is assumed 
on At. Then the probabilistic truth value of a formula p can be computed by 
using the finite additivity property of the probability measure and the equivalent 
representation of the formula ip as a disjunction of atoms. This formally forms 
a probability space of the form {At,2 M ,P) A called a Nilsson structure. Given 
a Nilsson structure N = {At,2 M ,P) and a formula p, let Wn(p) denote the 
probabilistic truth value (or shortly, weight ) of p in N, which is defined to be 
P(Atfp)), where At(p) is the set of atoms whose disjunction is equivalent to p. 

Fagin and Halpern have proposed a more general approach by taking a proba- 
bility structure as a quadruple (. S , X, P, 7r), where ( S , X, P) is a probability space, 
7 r associates with each s £ S a truth assignment 7r(s) : & {true, false}. The 
equation 7r(s)(p) = true means that p is true at s. The set S is thought of as 
consisting of the possible states of the world. We can associate with each state s 
in S a unique atom describing the truth values of the primitive propositions in 

3 The terminology by Fagin and Halpern, also called interpretations in the logic liter- 
ature. 

The notation P is used here instead of p as in [5] to denote a probability measure. 
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s. Further, there may be several states associated with the same atom. Using the 
usual rules of propositional logic we can easily extend 7r(s) to a truth assignment 
on all formulas. 

Given a probability structure M = (S,X,P,tt), we now associate with each 
formula p the set p M = (s £ Sj7r(s)(y>) = true} with assuming that true M = S. 
If p M is measurable for every primitive propositions p £ then so is p M for every 
formula ip. In that case we say that M is a measurable probability structure. In 
general, we can not talk about the probabilistic truth value of a formula p if <p M 
is not measurable. In such a case, Fagin and Halpern proposed to use its inner 
measure and outer measure as these are defined for all subsets. Intuitively, the 
inner and outer measure provide lower and supper bounds on the probabilistic 
truth value of <p. Particularly, if ip M is not measurable, we define Wm(p) to be 
the inner measure of p in M as follows 

Wm(p) d = P*{p M ) = sup{P(X)\x cp M ,xe X} 

A proof given in [5] following from a more general result in [23] shows that P* 
is indeed a belief measure. On the basis of the ideas above, the authors also 
developed a new notion of conditional belief which plays the same role for DS 
belief functions as conditional probability does for probability functions [6,9]. 

It is of interest that Fagin and Halpern’s model can be viewed as a special 
case of Dempster’s structure at least in the finite case as follows. 

If 5 is a finite set, it is easy to see that X has a basis , i.e. a family B of 
nonempty and disjoint subsets of S such that every member of A is a union 
of members of B. Furthermore, the basis B forms a partition of S, say B = 
{B i, . . . , Pfc}. We can now associate with each Bi a so-called situation ti, which 
may be thought of as a realization of the possible states in P*. Let T denote 
the set (fi, . . . , tk}- In addition we define a probability distribution Pt on T as 
Pt(U) = P{Bi ), and a multi-valued mapping P from T into S by P(U) = B,. 
Then it is easy to see that the Dempster structure (T, Pt, P, S) induces a belief 
function that coincides with Fagin and Halpern’s proposal via the inner measure 
above. 



3.3 The Transferable Belief Model 

The transferable belief model (TBM, for short) introduced in [24,28] provides 
a model for the representation of quantified belief. This model is based on the 
assumption that beliefs manifest themselves at two mental levels: the credal level 
where beliefs are entertained and the pignistic level where beliefs are used to 
make decisions (from credo, I believe and pignus, a bet both in Latin) . Especially, 
the TBM justifies the use of belief functions to model subjective, personal beliefs 
even in the cases where every probability concept is absent at the credal level. 
Once probabilities are defined everywhere the TBM is reduced to the Bayesian 
model [29]. The TBM is briefly described as follows. 

Let £ be a finite propositional language, and W = {iy 1 , 102 , • . . , w n } be the 
set of possible worlds that correspond to the interpretations of C. The set W is 
called the frame of discernment. Each proposition in C identifies a subset of W, 
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and two propositions are logically equivalent iff they identify the same subset. 
Given a partition 77 of W, we build the Boolean algebra IZ of subsets of W 
generated from 77. The elements of 77 are called the atoms of 1Z, and the pair 
( W. IZ) is called a propositional space. 

Now assume that You is an ideal rational agent, and all beliefs entertained 
by You at time t about which world is the actual world vo are defined relative to 
a given evidential corpus (EC^)- By the Basic Assumption, the TBM assume 
a basic belief assignment m : IZ —> [0, 1] with 

m(A) = 1, m(0) = 0. 

AcU 

For A £ TZ, m(A) is a part of Your belief that supports A , i.e. that the actual 
world w is in A , and that, due to the lack of information, does not support any 
strict subproposition of A. The difference with probability models here is that 
masses can be given to any proposition of 7 Z instead of only to atoms of IZ. In 
the TBM, once some further evidence becomes available to You and implies that 
B is true, the mass m(A) initially allocated to A is transferred to A fl 77. This 
transfer of belief in the TBM satisfies the so-called Dempster rule of conditioning 
and results in ms ■ IZ — > [0, 1] with 

( c J2 m (A U A) for A C 77, 

?ns(A) = < xcb 

I 0 otherwise, 

where 

1 

C " 1- E_m(X) 

XCB 

Given a propositional space (IV, IZ) and a basic belief assignment to, the 
belief function bel : IZ — > [0, 1] is defined as usual by 

bel(A) = m(X). 

■R3XCA 

The triple (W, IZ , bel) is then called a credibility space. 

At this juncture we can see that, given the evidence available on a situation 
You want to reason about, the TBM claims the existence of a belief function 
that describes Your credal state on the frame of discernment. Suppose now a 
decision must be made based on this credal state. As is well known [1] that 
decisions will be coherent if the underlying uncertainties can be described by 
a probability distribution defined on 2 W . Based on the Generalized Insufficient 
Reason Principle [28], the pignistic probability distribution derived from bel at 
the pignistic state via the so-called pignistic transformation is defined as follows 

BetP(x) = Y. itdp «» 

xcacu 1 1 Acn 1 1 

where x is an atom in IZ and |A| is the number of atoms of IZ in A. 
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Remark 3.2. If we denote T(x) the principal filter generated by an atom x in 
the Boolean algebra 1Z [19], the pignistic probability distribution BetP derived 
from m is represented as 



BetP(x) 



E 

A£F(x) 



m(A) 

~w 



(7) 



This may show a logical relation implicitly behind the TBM and the hint model 
even though the primitive concepts of these two models are different. While in the 
hint model, the primitive concept is the hint from which degrees of supports are 
deduced, the TBM assume the degrees of belief as a primitive concept from which 
the pignistic probability function is derived. At the same time, as mentioned in 
[28] (page 200), the important concept in a propositional space (W, 1Z) is the 
algebra 7 Z (so is the partition 77), not the set of worlds W. Formally, similar as 
mentioned above in Fagin and Halpern’s model, we can view the TBM in the 
terms of Dempster’s structure without, however, reference to any probability 
concepts. 

For the axiomatic justifications and more details on the TBM as well as its 
applications, the reader could be referred to, e.g. [4,25,27,29,30,31]. 



4 The Propagable Belief Model 

In this section we introduce a model called propagable belief model (PBM, for 
short) that aims at presenting a new approach to modeling subjective, personal 
beliefs in the spirit of the TBM. Essentially, our model is based on Dempster’s 
structure, except the assumption of a underlying probability distribution is not 
assumed. Instead of this we adopt the basic assumption as in the TBM. 



4.1 The Model 

The PBM concerns the same concepts as considered by previous models that are 
specified as follows. 

Let W = {wi,W 2 , ... , w n } be the set of possible states of the world concern- 
ing a situation we want to reason about. We call W the frame of discernment 
and may think of elements of W as interpretations of a underlying propositional 
language, or possible answers to a given question, or the like. Practically, due to 
the complexity of the reasoning situation and/or lack of information, the infor- 
mation on W may be encoded into a nonempty finite set of possible observations 
O. Each observation Ob in O can cover several possible states of the world, a 
subset r(Ob) of W. In addition, we assume that all the available information 
allow us to allocate belief masses to subsets of the set of possible observations. 
For O e 2°, mo{0) is the belief degree that supports that the true state of the 
world vo is covered in the set of observations O. That is, due to lack of informa- 
tion, in some cases a belief mass is only assigned in a combined view of several 
observations but not any strict subset of these observations. For the discussion 
on the origin of the basic belief masses, we could be referred to [28] . 
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Example 4-1. Assume You, the detective, are dealing with a case of murder. 
You may determine a basic evidential structure consisting of W as the set of 
suspects who had potential to be the killer, O as the set of observed evidence 
in which each observed evidence supposes several suspects to be the killer, and 
too : 2° — > [0,1] as the basic belief assignment, where mo(O), for O £ 2°, 
quantifies Your belief degree supporting that observed evidence in O constitute 
the murder. 

Example 4-2. In a medical diagnostic situation, You, the doctor, may determine 
a basic evidential structure for diagnosis consisting of W as the set of possible 
diseases which the present patient may get, O as the set of observed symptoms 
from the patient in which, according to Your experience, each symptom may oc- 
cur in several diseases, and mo : 2° — >■ [0, 1] as the basic belief assignment, where 
mo(0), for O £ 2°, quantifies Your belief degree supporting that symptoms in 
O causes the unknown disease. 

Formally, we define a basic evidential structure as a quadruple (O, mo, W, r), 
where O is the finite set of possible observations, mo is an initially basic belief 
assignment on 2°, W is the frame of discernment, and A is a multi-valued 
mapping from O into W that associates to each element Ob in O a subset r(Ob) 
of W. For any O £ 2 Dom ( r ) we call the set E(O) to be observable in W, and if A 
is observable we denote 

r-\A) = {Ob £ Dom(r)| U r(Ob) = A}. 

An observation Ob £ O is said to be irrelevant (resp., relevant) if r(Ob) = 0 
(resp., r(Ob) ^ 0). Naturally, we do not consider any irrelevant observations in 
the basic evidential structure, i.e. that we assume as an assumption that every 
observations in the basic evidential structure is relevant. However, irrelevant 
observations may occur once the conditioning information from a new piece of 
evidence becomes available. The set of observations O is said to be complete in 
the basic evidential structure if 



U r (Ob) = W, 

Obeo 

and mutually exclusive if r(Ob)r\r(Ob') = 0 for any Ob, Ob' £ O and Ob ^ Ob'. 
Intuitively, the set of observations O is incomplete when the available observa- 
tions do not cover completely the situation, and the true state of the world may 
be in W \ r(0). Consequently, a positive belief mass may be assigned to 0, 
i.e. mo (0) > 0 that corresponds to the so-called open world assumption. Here- 
after we accept the closed world assumption, namely rne>(0) = 0. 

Given a basic evidential structure ( 0,mo , W,T), as our main concern is on 
W, the initially basic belief assignment mo should be propagated to W in a 
natural way similar to the case of Dempster’s approach. For any A £ 2 W , the 
set E t (A) = {Ob £ 0\r(0b) C A} 5 consists of all observations that, according 
to available evidence, support (imply) the proposition “w is in A”, and the set 

Note that, by assumption, Dom(F) = O. 



5 
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r*(A) = {Ob £ 0\r{0b) fl A 0} consists of all observations in which the 
proposition is possible. It is clearly that any nonempty subsets of r*(A) also 
support the proposition, whilst any subsets of O having a nonempty intersec- 
tion with r*(A) cause the proposition possible. Thus we can define the degree 
of support and the degree of plausibility for A, denoted by Sp(A) and Pl(A ), 
respectively, as follows 



Sp(A) = bel 0 (r*(A)) 


(8) 


pi{A) = pi 0 {r*{A)) 


(9) 



where belo and plo respectively are the belief function and the plausibility func- 
tion defined on 2 ° from mo- 

Remark f.l. — When the belief is probabilistic ([28], page 222), a basic evi- 
dential structure becomes a Dempster’s structure. More especially, the ideal 
situation where O is finest, i.e. each observation covers exactly one possible 
state of the world, induces a probability model. 

— If the set of observations O in the structure (0, mo, W, T) is complete and 
mutually exclusive, the model is reduced to the TBM as shown below. 

— If the set of observations O is complete and mutually exclusive and belo 
is a probability function, then observable subsets in W become measurable 
events and the PBM without the dynamic component is equivalent to Fagin 
and Halpern’s inner and outer measures model. 

Interestingly enough, we have the following theorem. 

Theorem 4.1. Let (0,mo,W, T) be a basic evidential structure. Then we have 
Sp : 2 W — > [0, 1] with Sp{A) = belo(r*{A)) is a belief function. 

Proof. Clearly Sp satisfies Bl, i.e. Sp(0) = 0 and Sp(W) = 1, so it suffices to 
show that it satisfies B2. Given subsets A 2 , . . . , A n £ 2 W , we now show that 

Sp( U Ai) > V (-l) |/|+1 S'p( n Ai). 

i= 1 L ' ie/ 

0#7C{1,... , 71 } 

Indeed, by definition we have 

r*{ U Ai) D u r*(A t ) 

2=1 2=1 

and, for any 0 ^ I C {1, . . . , n}, 

r*( n = n r*^). 

iel i£l 

These follow that 

Sp( U^Ai) = belo{r*{U^Ai)) > bel 0 { T*(Aj)) 

> E 1 (-1) |Z| +1 beio( n r.(Ai)) 

07 tJC{l,... , 71 } * e/ 

E (-1 )W +1 beio{r*{ n Ai)) 

0^/C{l,...,n} ieI 

E (~i)^ +1 Sp( n Ai) 

0^C{l,.„,n} ieI 



This proves the theorem. 
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Note that Sp and PI also form a dual pair, i.e. Sp(A) = 1 — PI (A) for any 
A £ 2 W . Thus PI is a plausibility function. 

The duality shows an one-to-one correspondence between these two functions. 
The plausibility function is just another way of presenting the same information 
as the support function doing and so could be forgotten. 



4.2 Conditioning as Belief Revision 

Now assume that some further evidence becomes available and implies that 
B £ 2 W is surely true. In the PBM, an observation Ob in O such that r{Ob ) fl 
B = 0 becomes irrelevant in the light of new evidence. More particularly, the 
conditioning on B means that the mapping r : O — > 2 n has been transformed 
into the mapping Tb : O — > 2 W with 7b (06) = r(Ob) fl B 6 . As B is surely 
true in the light of new evidence, Your evidential corpus (EC^) must be revised 
according to B. Thus the new evidence should be propagated back to 2° and 
results in, following Smets’ proposal, the mass mo(0) initially allocated to O is 
then transferred to O fl r*(B). Clearly, T*{B) = Dom(Ts). The initially basic 
belief assignment mo is transformed into mo{-\r*{B)) : 2° [0, 1] with 

(c E mo{0 U X) for OCr*(B), 

mo(0\r*(B)) = < xcrpB) (10) 

I 0 otherwise, 

where 

1 

C ~ E rno{Xy 

x<zr*(B) 

The rule of conditioning is expressed in terms of the belief function belo as 
follows 



bel o (0\r*(B)) 



bel o (0 U r*(B)) - bel 0 {r*(B)) 
1 -bel 0 (T^Bf) 



On the other hand, the conditioning on B with respect to Sp yields, according 
to Dempster’s rule of conditioning, the following 



Sp(A\B) 



Sp(A UR) - Sp(B) 
1 - Sp(B) 



( 11 ) 



The following theorem shows that the propagation of conditioning is consistent 
with the transfer of beliefs. Hence the name PBM. 

Theorem 4.2. Let (0,mo,W, T) be a basic evidential structure. Then the rule 
of conditioning as belief revision above is consistent with the transfer of beliefs. 



This goes back to Dempster [2]. 
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Proof. Given (O, mo, IT, T) and a new piece of evidence that implies B is surely 
true. Then by the rule of conditioning as belief revision we have 

Sp B (A) = belo{r B *{A)\r*{B)) 

_ belo(r B ,(A)ur*(B))~belo(m(B)) (12) 

1 -belo(r*{B)) 

On the other hand, it follows by definition that 

Sp(B) = bel 0 ( r*{B)) 

= bel 0 (r*(B)) [ > 

Furthermore, it is easy to check the following holds 

r t (dus) = r & (A)uG(5) 

That immediately implies 

Sp(A U B) = belo ( r B * (A) U r*(B)) (14) 

The equations (13) and (14) imply that Sp B {A) = Sp{A\B) (review (11) and 
(12)). In terms of basic belief assignments, we obtain the following schema 

propagation . „ N transfer , n \ 

mo > m\bp) > m B {opB) 



m (-\B)(Sp(-\B)) 



4- transfer 

mo(-\r*(B)) - propasation * m(-\B)(Sp(-\B)) 

This concludes the proof. 

Remark 4-2. The PBM is reduced to the TBM when once the set of observations 
O in a basic evidential structure ( O , mo,W, r) is complete and mutually exclu- 
sive. Indeed, since O is complete and mutually exclusive, i.e. {r(Ob)\Ob € O} 
forms a partition of W, hence the set of observable subsets in W forms a 
Boolean algebras that is isomorphic to 2°. Thus, it is legitimate to define 
m : 2 W — > [0, 1] as follows 



m{A) = 



mo(r-\A)) 

0 



if A is observable, 
otherwise. 



Note that if A is observable then T ,_1 (A) = r*(A) = r*(A). Consequently, 
(IT, 7 Z, Sp) is a credibility space in the sense of Smets and Kennes [28], where 1Z 
is the Boolean algebra of the observable subsets of W generated by r(0). 

Remark 4-3. In the case where focal elements of mo are exactly singletons, 
i.e. that belo is a probability function, a basic evidential structure becomes 
a Dempster’s structure. Then Dempster considered that the conditioning on 
B C W means the transformation of T into r B , and also postulated that the 
knowledge of the conditioning event B does not modify belo- This opened to 
criticism [29]. Surprisingly, whilst Dempster defined the lower probability of an 
event A in W as the conditional probability of r^(A) given the set of only rel- 
evant observations Dom(T') in O (review (3)), he did not take the idea into 
account once the conditioning information becomes available. 
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4.3 Refinements and the Three Prisoners Problem 

Let us consider two basic evidential structures BE\ = (Oi, mo 1 , W, A) and 
BE = (O,m 0 , W, r) on the same frame of discernment W . We call BE t is a 
refinement of BE if there is a surjection f : Oi —> O such that E = A ° / _1 and 
belo(0 ) = belo 1 (f~ 1 (0)), for any O € 2°. An illustrated example is depicted 
as below. 

We would like to close this section by analyzing the well-known three prison- 
ers problem, that is one of the most quoted examples concerning the applicability 
of Dempster’s rule of conditioning, e.g. [18,7]. The problem is stated as follows 7 . 

Let a, b and c be three prisoners. Two of the prisoners are chosen by 
the warden to be executed but a does not know which. He therefore says 
to the jailer: “Since either b or c is certainly going to be executed, you will 
give me no information about my own chances if you give me the name 
of one man, either b or c, who is going to be executed.” Accepting this 
argument, the jailer truthfully replies: “6 will be executed.” Thereupon a 
feels happier because before the jailer replied, his own chance of execution 
was two-thirds, but afterwards there are only two people, himself and 
c, who could be the one not executed, and so his chance of execution is 
one-half. 

Is the prisoner a justified in believing that his chance of escaping has improved? 

Before analyzing the problem in terms of a basic evidential structure. We 
note that, as discussed in [6], in order for a to believe that his own chance 
of execution was two-thirds before the jailer replied, he seems to be implicitly 
assuming that the one to get pardoned is chosen at random from among a, b 
and c. This assumption means that each prisoner would be randomly selected 
with probability | to be pardoned. Further, following [6] we model a possible 
state by a pair (x,y), where x, y € {a,b,c}, that represents a state where x is 
pardoned and the jailer replies that y will be executed to a’s question. Since the 
jailer answers truthfully and will never tell a directly that a will be executed, 
we have the set of possible states is W = {(a, b), (a, c), ( b , c), (c, 6)}. 

We now construct a basic evidential structure for a before getting the answer 
from the jailer as BE = (O, mo, W, T), where O = {Ob a ,Obb,Ob c } with Ob x 
corresponds to u x is pardoned”, mo(Ob x ) = for every x £ {a,b,c}, and 
r(Ob a ) = {(a, b), (a, c)}, r(Obb) = {(6, c)}, r(Ob c ) = {(c, &)}. Let us denote 
says-b the event {(a, b), (c, b)} corresponding to the jailer’s answer. Then two 
situations could be arisen when the jailer gave the answer to a’s question [26]. 
Context 1. a has learnt that the jailer’s answer is surely true (e.g., the jailer saw 
the result of the selection from the judge), i.e. that says-b is surely true. Then a 
should revise his belief by conditioning on says-b from BE, that results in 

Spsays-b({((l, b) , (a, c)}) = — . 

Hence he feels happier realistically. 

7 This description of the story is taken from [6] and our discussion is based on that of 
Fagin and Halpern [6] and Smets [26] 
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Context 2. a has learnt that the jailer chooses at random between saying b 
and c if a is pardoned. This is because the jailer would like to satisfy the pris- 
oner a while making sure that the answer does not change a’s belief about 
his chance of saving. Then a has been just updated a piece of uncertain in- 
formation that “the probability that jailer chooses at saying b will be exe- 
cuted is This uncertain information helps a just refining his basic evi- 
dential structure, say BE' = (O' ,mo' ,W, r'), that is a refinement of BE, 
where O' = {Ob ab ,Ob ac ,Ob bl Ob c } with Ob ax corresponds to “a is pardoned 
and the jailer says x”, mo'{Ob ax ) = g, mo'(Qb x ) = g for x £ {b,c}, and 

r'(Ob ab ) = {(a, &)}, r'{Ob ac ) = {(a, c)}, r'(Ob b ) = {(6, c)}, r'{Ob c ) = { (c, 6)}. 

This yields a probability model, and then one gets 



Spsa V s-b{{(a,b), (a, c) }) 



Sp({(M)}) 

Sp({(a, b), (c, b)}) 




1 

3' 



5 Conclusions 

In this paper we have proposed a new approach to belief modeling based on 
Smets’ view of the origin of beliefs and the notion of a multi-valued mapping. 
Interestingly enough, the model also induces a belief function that quantifies our 
degrees of support in subsets of the frame of discernment given a basic evidential 
structure. Furthermore, it has been shown that the propagation of conditioning 
in the model is consistent with the transfer of beliefs. 

As we have mentioned in Remarks 4-5, the approach proposed in this paper 
has also provided a generalization of a number of existing models. This may 
allow us to understand their commonalities and differences, and to facilitate the 
formal comparison of these models. We do hope that this will also support a 
better understanding of existing models of beliefs and serve as a bridge of the 
gap between well-known approaches. More details on the model as well as the 
problem on the combination of evidence in the model will be presented in a 
forthcoming paper. 
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Abstract. The problem of construction of a computer-oriented tech- 
nique for inference search based on a certain sequent formalism for 
first-order classical logic with equality is solved. For this, special calculi 
of so-called sequent trees are constructed. The following features are 
inherent to the tree calculi: (i) preliminary skolemization is used for 
increasing their proof search efficiency with the help of a technique 
for finding the most general simultaneous unifier, (ii) every calculus is 
completely induced by a correspondent sequent calculus, (iii) any trans- 
formation of a sequent tree is defined by an appropriate (propositional) 
rule, and what’s more, (iv) certain kinds of the paramodulation rule are 
added to the sequent tree calculi. For all the calculi, some results about 
their soundness and completeness are given. Note that an approach 
under consideration can give a possibility to incorporate the proposed 
paramodulution technique into, for example, different modifications of 
the model elimination method, of goal-oriented sequent calculi, and of 
the tableaux method. 



1 Introduction 

At present, elaboration of inference search methods, which foresee a participation 
of man in inference searching, is given more consideration. However, when for 
this purpose one tries to use well-known methods relying upon results of Skolem 
[1] and Her brand [2] and having a sufficiently high efficiency (such as resolution- 
type methods, the inverse method, connection graph methods, etc.), a number of 
difficulties arise. These difficulties are caused by the fact that both the specificity 
of the methods consisting in the “destruction” of an assertion to be proven by 
transforming it into clauses, collections, connection graphs, an so on, and ways 
of organizing a proof search process impede the implementation of tools for the 
construction of such a “natural” deduction, which could be achieved by using 
Gentzen calculi [3] (for example, Ranger’s calculus [4]). 

At the same time, usual Gentzen- type sequent calculi significantly yield proof 
search efficiency, for example, to resolution-type methods. In general, this is con- 
nected with additional search efforts caused, on the one hand, by the possibility 
of different orders of quantifier rule applications, which arises due to absence 
of preliminary skolemization, and, on the other hand, by uncontrolled selection 
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of a propositional rule for its application. This situation is made worse when 
necessity for efficient equality manipulation appears. That is why last time the 
state of automated reasoning is characterized by the fact that the great atten- 
tion attracts construction of proof search methods combining the best features 
of first-order sequent formalism and logical combinatory technique (for example, 
sophisticated types of resolution and paramodulation techniques). These words 
are confirmed by the great number of appropriate publications. (For this, it is 
enough to turn to the Handbook of Automated Reasoning (ed. by A. Robinson 
and A. Voronkov) containing papers, such as [5], [6], [7], [8], and so on.) 

In this paper an attempt is made to investigate some properties of sequent 
inferences in the form of trees considering them as well-formed expressions of 
special (sequent) tree calculi constructed for the effective establishment of the 
deducibility of sequents in first-order classical logic (with or without equality). 

The sequent trees calculi considered in this paper have the following features: 
skolemization is used for eliminating non-effective quantifier manipulations, ev- 
ery tree calculus is completely induced by a correspondent sequent calculus in the 
usual form, any transformation of a sequent tree is goal-driven, and wlrat’s more, 
certain kinds of the paramodulation rule are incorporated in the sequent tree 
calculi. Note that we concentrate our attention only on the most general (fun- 
damental) ways of adding the paramodulation to the sequent tree calculi, disre- 
garding methods of building-in different well-studied sophisticated modifications 
of the paramodulation rules, which is explained by fact that any paramodolution 
modification requires separate thorough study. 

For all the calculi under consideration, some results about their soundness 
and completeness are given. 

2 Preliminaries 

The sequent form of first-order classical logic with equality is considered. Its 
language includes the universal and existential quantifiers (Vx and 3x), the 
propositional connectives of implication (d), disjunction (V), conjunction (A), 
and negation ( — ■), and the equality symbol (=). Below, atomic formulas are de- 
noted by A , literals are denoted by L or M, formulas are denoted by English 
capital letters. Sequences of formulas are denoted by Greek capital letters. All 
letters can be subscripted. 

2.1 General Notions 

Notions of terms, atomic formula, formulas, and literals are considered to be 
known. A formula being the result of renaming of variables in some formula is 
called its variant. 

The empty formula is denoted by jj. 

The expression P -1 denotes the result of carrying the negation into a formula 
F: (VTP) -1 is 3xP ( 3xP j -1 is VxP -1 , (P D Q)^ is PAQ -1 , (PVQ) -1 is P -1 A Q -1 , 
(P A Q) -1 is P -1 V Q", (-■P)^ is P, and A -1 is ->A. 
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We define positive (P|_P + J) and negative ( P[F J) occurrences of a 
following way: 



I. F|_P + J always holds. 

II. If F occurs in P then: 



by 



the 



P[F+\ 
P[F + J 
P[F+\ 
P[F+\ 
P[F+\ 
P[F+\ 
P[F+\ 
P[F+\ 
P[F+\ 



implies (-■P)LP _ J 
implies (P A Q) |_F + J 
implies (Q A P) [F + J 
implies (P V Q) |_F + J 
implies ( Q V P) [F + \ 
implies (P D Q)[P^J 
implies ( Q D P) [F + J 
implies (VxP) [F + J 
implies (3 xP) [F + J 



P[F~ J 
P[F~\ 
P[F~\ 
P[F~\ 
P[F~\ 
P[F~\ 
P[F~\ 
P[F~\ 
P[F~\ 



implies (->P) |_P + J 
implies (P A Q) |_P~J 
implies ( Q A P) [F~ \ 
implies (P V Q) |_P _ J 
implies ( Q V P) [F~ \ 
implies (P D Q) [P + J 
implies (Q D P)[F ~ J 
implies (VxP)[P _ J 
implies (3xP)[P _ J 



Obviously, we can assume that any formula cannot contain two different 
quantifiers having a common variable. 

If P[(Va;P) + J (P[(3a;P)^J) holds for some formulas F and P, then the quan- 
tifier \/x (3x) is said to be positive in the formula P. 

If P[(3a;P) + J (P[(Va;P)^J) holds for some formulas F and P, then the quan- 
tifier 3x (Vx) is said to be negative in the formula P. 

An equation is a pair of terms s, t written as s ss t. 

We use the expression L{t \, . . . , t n ) to denote that is a list of all the 

terms (possibly, with repetitions) occupying argument places in a literal L in the 
order of their occurrences in L. 

If L is a literal, then denotes its complement. 

Assume L is a literal of a form R{t\ . . . . ,t n ) . . . ,t n )) and M is a 

literal of a form P(s i, . . . , s n ) (^R(s i, . . . , s n )), where R is a predicate symbol 
and ti , . . . , t n , Si , . . . , s n are terms. Then S(L, M ) denotes the set of equations 
{ti ~ Si,...,t n « s n }. In this case L and M are said to be equal modulo 
S(L,M) {L » M modulo E(L,M)). 

We understand sequents in the usual sense. Formulas in antecedent of any 
sequent are called premises, and formulas in its succedent are called goals of the 
sequent. Sequences of premises and goals are thought as sets. So, an order of 
writing premises and goals is immaterial. Also clearly, that we can think that 
all the formulas from premises and goals of the same sequent pairwise have no 
common variables. 

Let S denote a sequent P — > A where P and A are sequences of formulas. 
If a quantifier Vx (3x) is positive (negative) in some formula from A , then the 
quantifier is said to be positive (negative) in S. If a quantifier Vx (3x) is positive 
(negative) in some formula from P, then the quantifier is said to be negative 
(positive) in S. 

Without loss of generality, we can restrict ourselves by considering only one- 
goal sequents, that is sequents with exactly one goal in their succedents. The 
notion of usual sequents is extended to sequents of the form P — > |), where P is 
a sequence of formulas, and j) is the empty formula. These sequents are called 
terminal sequents. 
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We consider the reader familiar with the notions of substitution, unifier and 
most general simultaneous unifier, which are treated like in [9]. Moreover, if E 
denotes any expression, and a is a substitution, then the result of application a 
to E is understood in the sense of [9] and is denoted by E * a. For any set Ex of 
expressions, Ex * E denotes the result of application a to every expression from 
Ex. 

2.2 Herbrand Theorem for One-Goal Sequents 

From now on, Herbrand theorem given below in a form extracted from [10] uses. 

It is known [10] that by means of special kind of skolemization, the estab- 
lishment of deducibility of any sequent can be reduced to the establishment 
of deducibility of a sequent with eliminated positive quantifiers and with free 
variables as constants. That is why the examination of sequents with only neg- 
ative quantifiers restricts us further. In this connection, we can eliminate all the 
quantifiers from sequents. Therefore, we can assume that any sequent consists of 
quantifier-free formulas, which pairwise have no common variable. We will keep 
to this restriction over the whole paper. 

As usual, the Herbrand universe H(S) for a sequent S is defined as the 
minimal set containing the following terms: (i) H(S) contains every constant 
from S (if there are no constants in S, then a special symbol, for example, co, 
belongs to U(S)), and (ii) for every functional k-arity symbol / occurred in S 
and any terms t\, ..., tk € H(S), H(S) contains the term f(t\, ...,tk). 

As a corollary of some results presented in [10], we obtain the following form 
of Herbrand theorem. 

Herbrand theorem (for one-goal sequents). Let S be a sequent of 
the form r — > G, where T is a sequence of formulas, and G is a formula. The 
sequent S is deducible in the Gentzen calculus LK [3] if and only if there exist 
the substitution a and formulas Pi,...,P n , such that for every i (1 < i < n) Pi 
is a variant of some formula from r or a variant of ~G, a substitutes terms 
from H(S) for all the variables of S, and the sequent P\ * a,...,P n * a — > G * a 
(not containing variables) is deducible in LK. 

3 Scheme of Construction of Calculi of Sequent Trees 

Well-formed expressions of calculi of sequent trees are trees with nodes labeled 
by sequents. We identify a node with its label and suppose that any tree grows 
’’from top to bottom”. Trees with leaves labeled only by terminal sequents are 
called terminal trees. If S' is a sequent, then an initial tree induced by S is a tree 
consisting only of a root labeled by S. We suppose that any initial tree cannot 
be induced by any terminal sequent. 

Every sequent calculus under consideration generates an appropriate calculus 
of sequent trees. Below we restrict ourselves to sequent calculi containing only 
one-premise inference rules, when the last are read from “top to bottom”. 
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A set Eq(Tr ) of equations is connected with every (inferred) sequent tree 
TV. We suppose Eq(Tr) is equal to 0 for every initial tree Tr. For an inferred 
tree Tr different from an initial tree, Eq(Tr ) is determined by an appropriate 
inference rule of a sequent calculus under consideration. 

A terminal tree Tr is called a proof tree if and only if there exists the most 
general simultaneous unifier of Eq(Tr). 

Now we have all the necessary to give a general scheme of the construction 
of sequent tree calculi. Let SC denote any sequent calculus. Then a calculus of 
sequent trees corresponding to SC is defined as follows. 

I. Axioms of the calculus of sequent trees are certain initial trees. 

II. Inference rules: 

II. 1. Inference rules induced by sequent calculus. Let Lf be a leaf of a sequent 
tree Tr. Let a rule R of SC can be applied to Lf with generating consequences 
Lfi,...,Lf m (m > 0). If Tr' is obtained from Tr by means of adding of m 
successors Lfi, ...,Lf m to Lf, then Tr' is said to be inferred from Tr by R. A 
set Eq(Tr') is determined as Eq(Tr) U £(L,M), where £(L,M) is determined 
by R of SC. 

II. 2. Rule of Contrary Closing (CC). Let Tr be a sequent tree and Br be 
branch of Tr with a leaf Lf labeled by a sequent T — > L, where T is a sequence 
of formulas, and L is a literal. Let Br contain a sequent T' — > M, where T’ is 
a sequence of formulas, and M is a literal such that ~ L ss M modulo A(~ T, 
M). If Tr' is obtained from Tr by means of adding one successor labeled by 
T — > (j to Lf, then Tr' is said to be inferred from Tr by CC. A set Eq(Tr') is 
determined as Eq(Tr) U A(~ L, M). 

Remark 1. Draw your attention to the fact that CC is a rule of every sequent 
trees calculus under consideration. 

A sequence of trees Tr±, ...,Tr n is said to be an inference in a calculus of 
sequent trees if and only if Trq is an initial tree, and for i > 0 Tr^+i is inferred 
from T?’j by some inference rule. 

A sequent S is considered to be inferred w.r.t. a calculus of sequent trees if and 
only if for some inference Tr\, ...,Tr n in the calculus, the following conditions 
are satisfied: Tr\ is an initial tree induced by a certain axiom constructed from 
S, Tr n is a terminal tree, and there exists the most general simultaneous unifier 
a for pairs from a set Eq{Tr\) U ... U Eq{Tr n ). If a is the empty substitution, 
then Ttt, ...,Tr n is called a propositional inference. 

Giving appropriate sequent- type calculi, we now can introduce calculi of se- 
quent trees interesting us. 
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4 Sequent Trees Calculi for Logic without Equality 

This section is devoted to first-order classical logic without equality. 

4.1 Calculus STi 

Axioms of STi. Let S' be a one-goal sequent F —> F, where F is a sequent 
of formulas, and F is a formula. Then an initial tree induced by a sequent 
r,F — > F' is called an axiom w.r.t. S for ST±, where F' is obtained from F 
by renaming all its variables by new variables and besides, F contains at least 
one variable. 

Thus, in order to define STi, it remains only to give a sequent calculus 
interesting us (cf. [11]). This sequent calculus is completely determined by its 
inference rules below. 



Goal-splitting Rules. These rules apply only to the goals of sequents. 



(-Oi)-rule: 

(— 0 2 )-rule: 

r F D fi 
T, F — >• F 1 

(-4 Vi)-rule: 

r -> F V Fi 
r, F- -)• F 1 

(— > A)-rule: 

r -> F A Fi 

r f r f 1 



r f d fi 

T,Fr 

(-4 V 2 )-rule: 

r -> F V Fi 
r\FC ^ F 

(— > -i)-rule: 

F -> ->F 
F — >• F^ 



Premise Duplication Rule. This rule applies only if a formula F contains at 
least one variable. 

Ti,F[M+J,F 2 -» F 

f 1 ,f , ,flm+j,f 2 — >• F 

where f w M modulo E(L,M), and F' is obtained from F by renaming all its 
variables by new variables. 



Auxiliary Goal Rules. Pay your attention to the fact that an order of applica- 
tions of auxiliary goal rules is ’’determined” by a literal-goal L from a succedent 
of a sequent under consideration. This denotes that first of all we fix a positive 
or negative occurrence of such a literal M in some premise of the sequent that 
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L « M modulo U(L, M) if L is an atomic formula or the first sign of M is -i, 
and ~ L « M modulo i7(~ L,M) in the opposite case; after that we apply 
auxiliary goal rules until the rules are applicable w.r.t. this occurrence of M. 
(Di— >)-rule: (D 2 — t)-rule: 



r u FD F 1 [M+\,r 2 -)• L 
r 1 ,F 1 [M+\,r 2 ^L r 1 ,r 2 f 

(V 1 — >)-rule: 

r 1 ,FvF 1 [M+\,r 2 -> l 
r 1 ,F 1 [M+\,r 2 l f 1; f 2 ^f- 

(Ai — >)-rule: 

r 1 ,F[M+\AF 1 ,r 2 -»• L 
r 1 ,F[M+\,F 1 ,r 2 L 

(-1 — »)-rule: 

r 1 ,^(F[M-\),r 2 ^ L 

[M+\,r 2 ^L 



r 1 ,F[M~\ d F u r 2 -»• l 
r u F- |m+j , f 2 -> l r 1 ,r 2 -> Fr 

(V 2 — >)-rule: 

Fi,F|_M+J V F 1 ,r 2 F 

f 1 ; flm+j,f 2 ^f r 1 ,r 2 ^F 1 

(A 2 — >)-rule: 

FpFAFrLM+J^a -► L 

f 1 ,f 1 lm+j,f,f 2 -^f 

(— ► jj)-rule: 

r u M,r 2 ^L 

Fi,M, F 2 — >• (J 



where (in all the above-defined auxiliary goal rules) F ~ M modulo S(L,M) 
if L is an atomic formula or the first sign of M is - 1 , and ~ L sa M modulo 
F(~ F,M) in the opposite case. 



Remark 2. The auxiliary goal rules imply that one can assume that for an 
inference TVi, ...,Tr n , a set Eq(Tr i+ 1 ) is equal to Eq(Tri ) U E(L,M) only if 
TVj+i is inferred from Tri by the rule (— > (j), and Eq(Tri+i) is equal to Eq(Tri) 
in other cases. 



4.2 Calculus ST 2 

Axioms of ST 2 . Let S be a one-goal sequent F — > F, where F is a sequent 
of formulas, and F is a formula. Then an initial tree induced by a sequent 
F, F -1 — > F' is called an axiom w.r.t. S for ST 2 , where F' is obtained from F 
by renaming all its variables by new variables. 

Thus, in order to define ST 2 , it remains only to give a sequent calculus 
interesting us (cf. [12]). This sequent calculus completely is determined by its 
inference rules. 



Goal-splitting Rules. As in the case of the calculus STi, these rules are 
used for elimination of the principal logical connective from goals. Note that 
expressions |_-W + J and \ mu st be taken into account below only for the 
case of applying an auxiliary goal rule fixing an occurrence of M. (Any fixed 
occurrence of M determines an order of goal splitting rule applications.) 
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(-Oi)-rule: 

r -> Fi [M~ J 
(— >■ Ai)-rule: 

r -> F[M"J A Fl 

f->f|_m-j f->Fi 

(— >■ Vi)-rule: 

F -> F[M"J V Fi 
F F[M-J 



(-0 2 )-rule: 

F-» F|Af + J D Fi 
F ->• (F[M+\y 

(— » A 2 )-rule: 

F-> FAFi|_M-J 
F-^Fi[Af-J F->F 

(— >■ V 2 )-rule: 

r->FVFi |M"J 
F-^FiLM-J 



(— > -i)-rule: 



F — »■ ^(F[Af + J) 
F -> F- 1 [M-J 



Auxiliary Goal Rule (AG-rule). Unlike ,S’7’| . the calculus ST 2 contains the 
only auxiliary goal rule: 

Fi, F[M+J , F 2 — » F 
A,F,F 2 -4 (F'LM+J)- 

where (i) F sa M modulo S(L, M) if F is an atomic formula or the first sign of M 
is -i, and ~ F sa M modulo I7(~ F, M) in the opposite case, and (ii) ( F'[M + \ ) 
is obtained from F[A/ + J by replacing all its variables by new variables keeping 
a one-one correspondence between old and new variables. 

Remark 3. Attract your attention to the fact that unlike ST), the calculus ST 2 
does not contain an analog of the rule (— > ft). Therefore, terminal trees can be 
inferred in ST 2 only by applying the rule CC. 



4.3 Main Results 

As usual, we are interested in a question on deducibility ’’power” of the con- 
structed calculi of sequent trees. For this, let us use the notion of formula image 
of sequent from [10]. 

Let Pi,...,P„, and F be formulas (n > 0), and S denote a sequent 
Pi, ..., P n —> F. Then a, formula image (f>(S) of S is the formula (PlA...AP„) D F, 
when n > 0, and <j>(S) is F, when n = 0. If F is the empty formula f|, </>(S) is jj. 

Let Tr be a sequent tree, and F/i, ..., Lfk be all its leaves. A formida image 
(f{Tr) of Tr is a formula <j>(Lfi) A ... A </>(F/ fc ). We assume that F A ft (ft A F) is 
F, where F is a formula (possibly, f|). Hence, 4>(Tr) is ft if Tr is a terminal tree. 

We use the standard notions of validity of formulas and consistency of a set 
formulas. Note that because all our reasoning are connected with the establish- 
ment of deducibility (validity), we always interpret ft as a valid formula. 
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Proposition 4.1. Let usual formulas (possibly, containing both positive and 
negative quantifiers) P[,..., P' n , form a satisfiable set of formulas, and F' be 
a usual formula. Let Pi, ...,P n ,F denote (quantifier- free) results of skolemization 
of P{, ...,P' n , F' , respectively. The formula F' is the logical consequence of the 
formulas P[, ...,P' n , if and only if the sequent P\, ...,P n —> F is inferred w.r.t. the 
calculus ST (w.r.t. the calculus ST 2 ). 

Proof. Note that the above-described method of construction of the calculi ST 
and ST 2 , using the notion of the most general simultaneous unifier, allows us 
to consider only the case of propositional inferences in calculi ST and ST 2 . 
This is followed from given Herbrand theorem and from the fact that for any 
unifier A for some sets Exi, ...,Exk of expressions, the set Ex\ * A is equal to 
{Ex i * a) * A',..., Exk * A is equal to ( Ex & * a) * A', where a if the most general 
simultaneous unifier for Ex i, ... ,Exk , and A' is some substitution. Thus, we can 
assume that Pi,..., P n — > F do not contain variables at all. 

Let ST denote any of both calculi of sequent trees, and let the conditions of 
Prop. 1 be applicable for ST. Note that for every sequent tree Tr different from 
a terminal tree there exists a rule of ST applied to Tr. Also note that for any 
initial tree Tr \ induced by any S, 4>{Trf) is logically equivalent to 4>(S). 

Let us assume that there exists a propositional inference Tri, ...,Tr n in ST 
with the following properties {Tri is considered to be the initial tree generated 
by Pi,--, P n F): 

1. For every i (1 < i < n) </>(Tr, : ) is the logical consequence of ^(Tr.j+i); 

2. Let n{Trj) denote such a numerical characteristic of Trj that the following 
conditions are satisfied: (2.1) 7r (Tr n ) = 0, and (2.2) for every i (1 < i < n) there 
exists j (i < j < n) such that 7 r(TVj) < n{Tn) if 7 r(Tr,;) is not equal to 0. 

It is easy to prove Prop. 1 for ST now. 

Indeed, the properties 1 and 2 ensure soundness of ST, i.e. they make sure 
that F is logical consequence of Pi, ...,P n , when Tr n is a terminal tree. 

An inverse assertion (i.e. completeness of ST) is easily proved by induction 
on 7 r on the basis of properties 1, (2.1), and (2.2). 

It is easy to verify that properties 1 and 2 hold for both ST and T 2 . There- 
fore, ST and T 2 are sound calculi. 

To obtain the completeness of ST, it remains to examine the properties 1,2.1 
and 2.2 when 7r {Tri) denotes a number of binary connectives in all the formulas 
of the initial sequent Pi,..., P n — > F. 

As to ST 2 , its completeness can be obtained by means of a certain transfor- 
mation of a proof tree of ST to a proof tree of ST 2 . Q.E.D. 

To clarify differences between ST and ST 2 , we restrict ourselves to the con- 
sideration of the propositional case of classical logic. 

Let us establish the logical consequence of the formula ~>F V G from the 
formula (-> G A F) D G, using both ST and ST 2 . 

At once, we note that only terminal trees are demonstrated because they 
give perfect pictures about how corresponding inferences of sequent trees can be 
constructed in ST and ST 2 . Also, the terminal trees do not contain names of 
inference rules applied. 
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Example of inference in STi . The terminal tree is constructed below for 
the sequent (~>G A F) D G -A ~>F V G. 

( -<G A F) dG,GA -\F -a -i F V G ( axiom . ) 

pG A F) D G, G A -.F, F -► G ( by (-► Vi)) 

G,GA^F,F^G G A -iE, F -A ~^G A F ( by (Di->)> 

G A ->F, E -A H G A ->E, E -A ^G G A -iE, E — >• E (by (-> A)) 

G A -.F, E -> ft G A ->F -A jj 

Here, the first and third leaves are constructed in accordance with (— > (j)- 
rule and the second leaf in accordance with the rule GG. 



Example of inference in ST 2 . The terminal tree is constructed below for 
the sequent r -A ~>F V G, where r is the sequence (~>G A F) D G, F A ->G. 



E ->^EV G 

r^G 

r — > (— i G A F) A —>G 

ga^ga f r^-^G 

E ->^G r -aF (by (-> Ai)) r -A j) 
r -a tt r -a -if v G 
e — » -if 
G — >■ ft 



{axiom) 

(by (— > V 2 )) 

(by (AG) applied to ( ~>GAF ) D G 
(by (-> A 2 )) 

(by (AG) applied to E A ->G) 

(by (-> Ai)) 



Here, all the leaves are constructed in accordance with the rule GG only. 

Corollary 4.1. An arbitrary formula F is valid if and only if a sequent -A F' 
is inferred w.r.t. the calculus ST\ (w.r.t. the calculus ST 2 ), where F' is the 
(quantifier- free) result of skolemization of F. 

Corollary 4.2. Let formidas Pi,...,P n ,F, P[,...,P’„, and F' be taken from 
Prop. 1. The sequent Pi,...,P n -A F is inferred in the calculus LK from [3] 
if and only if the sequent P[,...,P' n -A F' is inferred w.r.t. the calculus STi 
(w.r.t. the calculus ST 2 ). 



4.4 Modifications of ST± and ST 2 

Let us consider the following modifications ST^ and STf) by incorporating a 
new inference rule CD into ST\ and ST 2 . 

These modifications serve as a basis for the construction of complete exten- 
sions of the SLD-resolution having the form of a certain calculus of SLD-trees 
and for adding the paramodulation rule to these extensions. The last can serve 
as an example of the introduction of the paramodulation into different modi- 
fications of the model elimination method. Also, this technique can be applied 
usefully for equality handling in different variants of the tableaux method. 
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Let us introduce a new rule. 

Chain Deleting rule (CD-rule). Let Tr be a sequent tree, and Br be a 
branch of Tr with a leaf Lf labeled by a sequent T — > jj, where T is a sequence 
of formulas. Let E denote a set E(L,M) relating to T — > jj, and Ch denote the 
maximal part of Br such that Ch contains (“is ended” by) T — >■ jj, and every 
node of Ch with a label different from T — > jj has only one successor. If Tr' 
denotes the result of a deletion of Ch from Tr and there exists the most general 
simultaneous unifier a of E, then Tr' * cr is said to be an inference tree produced 
by CD-rule, where Tr' * a is the result of applying cr to all the formulas in Tr. 

Further, we assume that the CD -rule already is applied after any application 
of (— > jj)-rule or CC-rule. (In this connection, it can be considered as a “part” 
of these rules. Hence, sequent trees in ST ^ and ST-f) do not contain sequents of 
the form T — > jj.) 

Proposition 4.2. Let Pi,...,P ra form a satisfiable finite set of formulas. A 
formula G is the logical consequence of formulas Pi, . . . , P n if and only if there 
exists a sequent tree for the sequent Pi, . . . ,P„, CP — > G that does not contain 
any node (i.e. that is the empty tree), and that is inferred in the calculus ST^ 
(STj). 

A proof of Prop. 2 uses Prop. 1 and the notion of formula image of sequents. 

Note that for the examples from the previous section, the empty tree will be 
inferred both in ST and in ST 2 K 

5 Calculi of Literal Trees 

The case when we examine only sequents of the form C\,...,C n — > L i A...A L*., 
requires a separate consideration, where for every i (1 < i < n) Ci is Afj.i V...V 
and Mip, ...,M„ >rn , L\,...,Lk are literals. 

Remark ). As usual, an expression of the form Mi V...V M r is called a clause. 
Also note that in the case, when no more than one of literals Mi,...,M r is an 
atomic formula, Mi V...V M r is called a positive Horn clause. 

Because any first-order formula can be reduced to the conjunctive (disjunc- 
tive) normal form by means of logical-equivalence preserving transformations, it 
is easy to see that the establishment of the deducibility of any sequent is equiva- 
lent to the establishment of the deducibility of a sequent of the form Ci,...,C n — >■ 
Li A ... A Lfc V...V, where for every i (1 < * < n) C* is Mjp V...V M i>ri , any Mij 
and Lfc have no common variables, and Mjj and M pq can have common variables 
only if i coincides with p. That is why we can investigate the deducibility of these 
literal sequents only. In this connection note that if G is Li A . . . A L^, then G~" 
is ~ Li V . . . V ~ Lk- 

Taking the above into account, the calculus STi can be transformed into a 
literal sequents calculus LT having the following rules. (Note that the restriction 
of ST 2 on the case of clauses results in the same calculus LT.) 
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Goal Splitting rule. The rule below generalizes (— > A)-rule from STi ( ST 2 ) 
in the case, when A is considered as a multiple-place operation. 

(— » A)-rule: 

r — y L\ A ... A L m 

r —> Li, ... ,r -4 L m 

Auxiliary Goals rule. This rule is applied when the goal of a sequent is a 
literal. 

(V — >)-rule: 

ri,AiV...Vi n VMVBiV...VB r ,r 2 ->i 

r> ^ A' n , r' bj , . . . , r' w r 

where A 1; . . . , VA n . B \, . . . , B r , L, and M are literals, r' is the sequence P\ ,Ai V 
. . . V A n VM VBi V ... V B r , r-2, A! x V . . . V A' n VM' V B[ V . . . V B' r are renaming 
of A\ V ... V A n VMV B\ V . . . V B r by new variables, and L « M' modulo 

The calculus LT has the same (— > j))- rule and CC-rule, as ST\ has. 

As to the duplication rule, (V — >)-rule contains it as a rule “built-in” in LT. 
Also note that the Goal Splitting rule is applied to an initial sequent only if it 
is necessary: further, Auxiliary Goal rule is applied again and again, generating 
literals as new goals. That is why LT was called a calculus of literal sequents. 

Proposition 5.1. Let clauses P\, ... ,P n form a satisfiable finite set of clauses. 
A conjunction of literals G is a logical consequence of P \, ... ,P n if and only if 
there exists a proof tree w.r.t. the sequent P\, . . . ,P n , -A G in LT. 

Proof. According to Prop. 1, there exists a proof tree Tr w.r.t. the sequent 
Pi,...,P n G in the calculus STi. Obviously that Tr consists of sequents 
inferred by applications of (— > A)-rules, (V — >)-rules, (— > jj)-rule, and CC-rule 
only. It is not hard to transform Tr into a proof tree in LT. Q.E.D. 

We can introduce a calculus LT # in the same way that was used for STf. 
Corollary 5.1. Let clauses P\, ... ,P n form a satisfiable finite set of clauses. A 
conjunction of literals G is the logical consequence of P\, ... ,P n if and only if 
there exists such an inference tree w.r.t. the sequent P±, . . . ,P n , G -1 — » G in the 
calculus LT* that does not contain any node (i.e. that is the empty tree). 

5.1 Completeness of SLD-Resolution 

The peculiarity of the calculus LT is that antecedents of inferred sequents coin- 
cide with the antecedent of an initial sequent, say, r. This permits to consider T 
as a set of input clauses and to transform any inference tree Tr in LT into a tree 
j(Tr) having the same nodes as Tr, but labeled only by goals of corresponding 
sequents. Such a tree q(Tr) is said to be a goal-tree corresponding to Tr and we 
have an easy way to go from LT to SLD-resolution. 

The completeness of SLD-resolution is a well-known result in Logic Program- 
ming (see, for example, [13,14]). The propositions below contain its modifications 
in the form of Prop. 3, Corollary 1, and Corollary 2. 
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Corollary 5.2. (Soundness and Completeness of SLD-resolution.) Let positive 
Horn clauses Pi , . . . , P n form a satisfiable finite set of clauses and G be a con- 
junction of atomic formulas. The goal G is the logical consequence of P\, ... ,P n 
if and only if there exists a proof tree w.r.t. the sequent Pi , ... , P n , G -1 —> G 
in the calculus LT without any CC-rule applications. In particular, the SLD- 
resolution is sound and complete. 

Proof. It is obvious, because Tr does not contain sequents inferred by CC-rule 
applications. Q.E.D. 

Corollary 5.3. Let positive Horn clauses Pi,...,P n form a satisfiable finite 
set of clauses, and G be a conjunction of atomic formulas. The goal G is the 
logical consequence of Pi,..., P n if and only if there exists an inference tree 
w.r.t. the sequent Pi, . . . ,P n , G -1 — > G in the calculus LT» (without any CC- 
rule applications) that does not contain any node (i.e. that is the empty tree). 

Remark 5. Prop. 3 and Corollaries 3, 4, and 5 show that the calculi LT and 
LT# can be considered as methods of extensions of SLD-resolution by means 
of adding the very simple rule CC in the case of consideration of finite sets of 
arbitrary clauses. This feature of the calculi LT and LT# becomes important, 
when we are interesting in a complete and simple superstructure of tools imple- 
menting SLD-resolution having the form of SLD-trees. If we are interested in 
a general conclusion of SLD-resolution when arbitrary first-order formulas are 
under consideration, different modifications of the calculus STi ( ST 2 ) and ST# 
(ST 2 ) can be implemented. 

6 Paramodulation in Sequent Tree Calculi 

Application of logic with equality for solving different tasks implies, as a rule, 
construction and/or use of the already known methods for equality handling. In 
this connection, we demonstrate some ways of incorporating paramodulation- 
type rules into the above-described sequent tree calculi. Demonstration of these 
ways makes for the literal calculi LT and LT# only. Moreover, in what follows we 
consider that the most general simultaneous unifier a of S(L,M'), if it exists, 
immediately applies to all the goals of a tree Tr inferred in LT by means of 
some (V— >)-rule application generating H{L,M'). Note that the result of this 
application of er to Tr is denoted by Tr* cr. (The restriction is caused by the con- 
sideration of LT and LT# only and has no principal role: the approach suggested 
here can easily be extended to the case of the calculi STi and <ST 2 .) 

Below we use the notion of T-satisfibility of a set of formulas (in particular, 
of clauses) in the form of [15]. This notion permits to tell about T-consequence 
of one formula from another (from a set of formulas) . 

We remind that an expression of the form f(x 1 , ..., Xk) = f{xi, ..., Xk), where 
/ is a fc-arity functional symbol and xi, ...,Xk are variables, is called functionally 
reflexive axiom. 
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If 5 is a sequent, then Rf(S ) denotes the set (sequence) of functionally 
reflexive axioms for all the functional symbols from S, having a positive arity. 

The specific feature of the paramoclulation extensions proposed is that the 
’’directions” of the paramodulation rule applications as separate rules should be 
taken into account by the same way as in [16] (i.e. w.r.t. sequent trees) and that 
to construct complete extensions (in general) only three paramodulation-type 
rules from the four possible may be used (and this number of rules cannot be 
decreased) . 



6.1 Paramodulation-Type Rules 

Let us define four types of the paramodulation rule. 

Pi- and P 0 -paramodulation rules. Let Tr be a tree of sequents, and P — »• M 
be a label of some of the leaves from Tr, and the literal M is different from jj. Let 
us suppose that T contains such a clause D that the paramodulation rule [15] is 
applicable from C to M (from ~ M to C), where M and ~ M are considered 
as unit clauses, and C is a variant of D , which has no common variables with 
the labels from Tr. Let er be a most general unifier and L\ V...V L m be a 
paramodulant of this paramodulation application from C to M (from ~ M to 
C), where L\, ..., L m are literals. Then a tree deduced from Tr (w.r.t. D) by the 
Pi-paramodulation rule (the P 0 -paramodulation rule) is said to be the result of 
the following transformation of Tr* a: m immediate successors are added to the 
selected leaf (with the label P —> M*a), and for every i (1 < i < m) the sequent 
P — » ~ Li is assigned to the ith successor when the successors are examined from 
left to right. 

Pd- and P,-paramo deflation rules. Let Tr be a tree, and w be some of the 
branches of Tr, whose leaf label is P — > L, where L is different from jj. Let us 
suppose that the branch w contains a node labelled by P — > M such that the 
paramodulation rule is applicable from ~ M to L (from ~ L to M ) , where L 
and M are literals considered as clauses. Let a be a most general unifier, and L' 
be the paramodulant of this paramodulation application from ~ M to L (from 
~ L to M) Then a tree deduced from Tr by the Pd-para, modulation rule (by the 
P u -paramodulation rule) is said to be the result of the following transformation 
oiTr*cr : one immediate successor with the label P — > L' is added to the selected 
leaf (with the label P —> L * a). 



6.2 Sequent Tree Calculi with Paramodulation- Type Rules 

Let us construct sequent tree calculi with paramodulation by adding the above- 
defined rules Pi, P 0 , Pd, and P u in such combinations that lead to two essentially 
different classes of calculi, which are optimal in the sense of their structure and 
the minimal number of paramodulation-type rules, necessary for providing the 
completeness of the calculi suggested: 
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(i) Calculi LTd and LT\ are constructed by adding Pj, P Q , and Pd to LT and 
LT ® respectively, 

(ii) Calculi LT U and LT . ® are constructed by adding P t , P Q , and P u to LT 
and LT ® respectively. 

6.3 Main Results for Calculi with Paramodulation-Type Rules 

Proposition 6.1. Let clauses P\,...,P n form a E-satisfiable finite set of 
clauses. Let G be a conjunction of literals, and S be the sequent P \ , . . . , P n , 
G -1 , — > G. The conjunction G is the logical E-consequence of P\, ..., P n if and 
only if there exists a proof tree w.r.t. the sequent Pl , . . . ,P n , G -1 , x = x, Rf(S) 
—> G in LTd- 

Proof. The soundness of LTd can be obtained by using so-called clause images 
of literal sequents. A proof of its completeness can be produced by induction on 
the number of propositional connectives in an initial sequent in the same way as 
was applied for proving the completeness of the linear paramodulation in [15]. 
Q.E.D. 

Proposition 6.2. Let clauses P\,...,P n form a E-satisfiable finite set of 
clauses. Let G be the conjunction of literals, and S be the sequent Pi , . . . , P n , 
G -1 , —> G. The conjunction G is the logical E-consequence of P\, ..., P n if and 
only if there exists a proof tree w.r.t. the sequent P\, . . . ,P n , G -1 , x = x, Rf(S) 
— > G in LT U . 

Proof. The soundness of LT U is obtained in the same way as in the case of LTd- 
Its completeness can be achieved by the transformation of a proof tree in LTd 
into a proof tree in tree in LT U . Q.E.D. 

Corollary 6.1. Let clauses Pi, ... , P n form a E-satisfiable finite set of clauses. 
Let G be a conjunction of literals, and S be the sequent Pl, . . . , P n , G -1 , — > G. 
The conjunction G is a logical E-consequence of P\, ..., P n if and only if there 
exists the empty tree w.r.t. the sequent Pi, . . . ,P n , G -1 , x = x, Rf(S) —> G in 
ET\, as well as in LT. jj. 

Remark 6. Presence of functionally reflexive axioms in the formulations of the 
above-given propositions is the necessary condition for the completeness of both 
classes of calculi. This demonstrates an example given in the next section. In 
addition note that adding the rules P,, P Q , Pd, and P u to LT and LT® in combi- 
nations different from the above-given ones and containing no more than three 
paramodulation rules results in violation of the completeness of calculi which 
can be constructed. The following examples confirm this (below a and b be con- 
stants, r be a variable, f,g , h, and s be functional symbols, and R is a predicate 
symbol): 

1. The deducibility of the sequent R(b),R(a ) — » a ^ b cannot be established 
by using the combination {P,, Pd, and P u }, 

2. The deducibility of the sequent a = b, R(a) — > R(b) cannot be established 
by using the combination {P 0 , Pd, and P u }, and 
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3. The deducibility of the sequent x = x,a = /(a) V b = g(b), h(a) y^ 
h(f(f(a))) —> s(b) = s(g(g(b))), cannot be established by using the combination 
{Pi and P 0 }. 



7 Example of Deducibility for Equality 



Let us establish that a ^ b is an E-consequence of T, where r is the following 
formulas sequence written “from top to bottom” : 

~^Ri(gi(x,x)) v ~^R 2 {g 2 {y,y)) (l), 

Ri{h\{z,z)) (2), 

R 2 (h 2 (u,u)) (3), 

9 i(f(a)J(b)) = hi{f{a)J{b)) (4), 
gi{f{a)j{b)) = h 2 (f(a),f(b)) (5). 

(a and b are constants, x, y, z, u are variables, R\ and R 2 are predicate symbols, 
and f,gi, g 2 , hi and h 2 are functional symbols. Parenthesis contain numbers of 
formulas being to the left of the numbers.) 

To do this, let us consider a sequent A — > a y^ 6, where A is P, a = 6, 
f(v) = f( v ) (6). 

(The equality f(v) = f(v ) is the functionally reflexive axiom for /. The func- 
tionally reflexive axioms for all the other functional symbols gi,g 2 ,hi, and h 2 , 
as well as the reflexive axiom x = x are omitted.) 

For this sequent we have the following proof tree in LTd'. 



A — > a y^ b (7) {initial sequent) 

A gi(f(a),.f(a)) ± hi(f(a),f(b)) (8) (P c from (7) to (4)) 

^ gi{f{a),f{a)) yf h 1 {f{a),f{a)) (9) (P d from (7) to (8)) 



A — >■ Ri{h 1 {f{a),f{a))) (10) 
^ R 2 (g 2 {y,y)) (11) 

zl P 2 (g2(/(^),/(f))) (12) 

4 R 2{92{f{a)J{v))) (13) 

A^ R 2 (g 2 (f(a),f(b))) (14) 

A^R 2 (h 2 (f(a),m)) (15) 
A^R 2 (h 2 (f(a),f(a))) (16) 
zl |t (17) 



{P 0 from (8) to (2)) 

((V — >), applied to (1) and (10)) 
{Pd from (7) to (10)) 

{Pd from (7) to (12)) 

{P d from (7) to (13)) 

{Pi from (4) to (14)) 

{P d from (7) to (15)) 

((— > 0), applied to (3) and (16)) 



In accordance with the Corollary 6, a y^ b is an E-consequence of P. 



Remark 7. Without the functionally reflexive axiom f{v) = /(i>), it is impossible 
to construct at least one proof tree w.r.t. A — > R 2 {g 2 (y,y)) (11) in the calcu- 
lus LT d ( LT U ) even if other functionally reflexive axioms will be present. This 
guarantees that the above-given example demonstrate necessity of functionally 
reflexive axioms for the completeness both LT d and LT U . 
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8 Conclusion 

Summarizing the above-given results, we see that transferring to inference search, 
which is based on sequent trees, has a number of positive features connected with 
the possibility of the effective exploitation of sequent tree formalism: skolemiza- 
tion, goal-driven control, and all the information being kept in sequent trees 
both for CC-type propositional rules and for different kinds of the paramodu- 
lation rule, which have forms of possible “directions” (w.r.t. trees) of applying 
the paramoclulation. (Unfortunately, the simplest above-described way of incor- 
porating the paramoclulation into the sequent tree calculi requires functionally 
reflexive axioms for preserving the completeness. But it is “payment” for ease 
of its incorporation. The author hopes that functionally reflexive axioms can be 
removed from the sequent tree calculi as the result of further developing of these 
tree calculi with the help of some analog of the lazy paramodulation [17]). 

Besides, the sequent tree formalism can serve as a good basis for constructing 
similar technique and obtaining results for well-known forms of resolution and 
paramodulation rules in linear formats. An example of this can serve the paper 
[18] given insight into a new interpretation of the model-elimination method [19, 
20] (or, in terminology of [15], into the OL-method) and linear refutation [21], 
whose “behavior” can sufficiently easily be simulated in the terms of the literal 
tree calculus LT and LT^, and therefore, their paramodulation reconstruction 
can be made in the spirit of this paper. 

As to SLD-resolution, we must note that results obtained here give an easy 
way to convert literal (sequent) trees to trees, which can be considered as a 
general conclusion of the usual notion of SLD-trees. This gives a “key” to the 
construction of complete resolution and paramodulation extensions of SLD- 
refutation methods intended for their implementation in Prolog-like systems 
that are used already in different applied fields. 

In the opinion of the author of this paper, the above gives some possibili- 
ties for incorporating the paramodulation technique proposed here into different 
modifications both of tableaux methods and of model elimination methods in 
order to attempt to increase their inference search efficiency by developing dif- 
ferent strategies that select “directed” applications of the paramodulation rule. 
But such investigations require separate considerations. The same concern a pos- 
sibility of further developing the above-developed paramodulation technique for 
construction of sequent tree calculi that remain complete without using func- 
tionally reflective axioms. 

Finally, we underline again that this paper serves as an example of the fact 
that sequent tree-like structures keep much useful information for deduction, and 
this information can be used by different ways for optimizing inference search. 
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Abstract. We have studied the update operator © defined in [4] 
without tautologies and we have observed that satisfies an interesting 
property. This property is similar to one postulate proposed by AGM 
but, in this case for nonmonotonic logic and that we called WIS. 
Also, we consider other five additional basic properties about update 
programs and we show that © satisfies them. So, this work continues the 
analysis about the AGM postulates with respect to operator © under 
the refinated view that includes knowledge and beliefs that we began in 
a recent previous paper and that satisfies the WIS property for closed 
programs under tautologies. 

Keywords: Answer set programming; Nelson logic; Update programs; 
Strong negation; AGM postulates; Properties. 



1 Introduction 

A-Prolog (Stable Logic Programming [5] or Answer Set Programming) is the 
realization of much theoretical work on Nonmonotonic Reasoning and AI appli- 
cations of Logic Programming (LP) in the last 15 years. This is an important 
logic programming paradigm that has now great acceptance in the community. 
Efficient software to compute answer sets and a large list of applications to model 
real life problems justify this assertion. The two most well-known systems that 
compute Answer sets are dlv 1 and smodels 2 . It has been recently provided a 
characterization of answer sets by intuitionistic logic as follows: a literal is en- 
tailed by a program in the answer set semantics if and only if it belongs to every 
intuitionistically complete and consistent extension of the program formed by 
adding only negated literals [10]. The idea of these completions using in gen- 
eral intermediate logics is due to Pearce [8]. This logical approach provides the 
foundations to define the notion of nonmonotonic inference of any propositional 
theory (using the standard connectives) in terms of a monotonic logic (namely 

1 http : //www . dbai . tuwien. ac . at/proj/dlv 

2 http : // saturn. hut . f i/pub/ smodels 
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intuitionistic logic), see [8,10,9]. The proposed interpretation would be the fol- 
lowing: Given a theory T, its knowledge is understood as the formulas F such 
that F is derived in T using intuitionistic logic. This makes sense, since in intu- 
itionistic logic according to Brouwer, F is identified with “I knows F ” (or perhaps 
some reader would prefer to understand the notion of “knowledge” as “justified 
belief’). An agent whose knowledge base is the theory T believes F if and only 
if F belongs to every intuitionistically complete and consistent extension of T 
by adding only negated literals (here “belief’ could be better interpreted as “co- 
herent” belief). Take for instance: -> a — > b. The agent knows ->a —> b, ~^b — » -no 
and so on and so forth. The agent does not know however a. Nevertheless, one 
believes more than one knows, but a cautious agent must have its beliefs con- 
sistent to its knowledge. This agent will then assume negated literals to be able 
to infer more information. Thus, in our example, our agent will believe —>a and 
so lre/she can conclude b. It also makes sense that a cautious agent will believe 
-i a or -i-i a rather than to believe a (recall that a is not equivalent to ->-i a in 
intuitionistic logic). This view seems to agree with a point of view by Kowalski, 
namely that “Logic and LP need to be put into place: Logic within the thinking 
component of the observation-thought-action cycle of a single agent, and LP 
within the belief component of thought”. As Pearce noticed, if we include strong 
negation we just have to move to Nelson logics [8]. We select here N, the least 
constructive (strong negation) extension of intuitionistic logic and because it is 
the minimum necessary to satisfy our properties. Also, N is the nearest Intu- 
itionistic logic. For this reason we don’t need of N2. We say that two theories Tj 
and T 2 are equivalent knowledge if they are equivalent in N. We denote this fact 
by Ti = K T 2 . We say that X) and T 2 are equivalent if they have the same answer 
sets. We denote this fact by T) = T 2 . We will write P \~ K a to denote the fact 
that Phjv a. The idea for using K instead of N is due to two reasons: First, to 
emphasize the reading P “knows” a. Second, because strictly speaking we are 
translating the connective symbols. Similarly we will write P\ =k P ‘2 instead of 
Pi —N P2 • 



In this paper we address our approach to update nonmonotonic knowledge 
bases represented as extended logic programs under the answer set semantics, 
two very good recent reviews with many references are [2,4]. If new knowledge of 
the world is somehow obtained, and it doesn’t have conflicts with the previous 
knowledge then this new knowledge only expands knowledge. If by the contrary, 
new knowledge is inconsistent with the previous knowledge, and we want knowl- 
edge to be always consistent so that our agents can act in all moment, we should 
solve this problem somehow. We point out that new information is incorporated 
into the current knowledge base subject to a causal rejection principle, which 
enforces that, in case of conflicts between rules, more recent rules are preferred 
and older rules are overridden. Some well-known proposals are presented in [4] 
and [2] . In particular [4] presents a complete analysis with respect to properties 
that an update operator should have, with the purpose of obtaining a sure and 
reliable update process for our agents. In this context, it is necessary to point 
out that when one wants to choose a theory to develop its applications is very 
important to know the properties that in the theory are held. It is in this sense 
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that we have focused to investigate the properties that are held under our theory, 
and not to present properties that it doesn’t hold. 

In this paper, we consider similar properties to the well-known AGM pos- 
tulates. We think that is necessary to reinterpret them on the context of non- 
monotonic reasoning via answer set programming. In addition, we pay particular 
attention to our view that distinguishes beliefs from justified beliefs. As a begin- 
ning, we only study Dalai’s principle of irrelevance of syntax, that according to 
Dalai’s Principle [7] of Irrelevance of Syntax, the meaning of the knowledge that 
results from an update must be independent of the syntax of the original knowl- 
edge, as well as independent of the syntax of the update itself. In [4] the authors 
analyze and interpret the AGM postulate corresponding to Dalai’s principle as 
follows: 

Tj = T 2 implies S(K © Tj) = S(K 0 T 2 ). 

Where Tj and T 2 are any theories. By S(P) we denote the collection of all an- 
swer sets of P. If S(P) ^ 0, then P is consistent. “ © ” is the revision operator, 
and understanding that equivalence means that both programs (Tj and T 2 ) have 
the same answer sets. This interpretation expresses a very demanding principle 
of irrelevance of syntax, due to that the AGM postulates were introduced for 
monotonic logics. We propose to reconsider the AGM postulates [1] under our 
new interpretation that considers “justified beliefs” and “belief’. To this aim 
we have introduced in [11] a new property, which we call Weak Irrelevance of 
Syntax, as follows: 

(WIS): T 1 = k T 2 implies S(K © Ij) = S(K © T 2 ). 

Where T\ =k T 2 has a stronger meaning than before. The intended meaning is 
that Ti and T 2 have the same justifies beliefs. We show that the proposal shown 
in [4] for updates almost satisfies this principle. In fact we show that for pro- 
grams without tautologies, this principle holds. We should point out that this 
property is accepted as much in belief revision as in updates, as it is shown in 
[4]. Also, [4] notes, however, that tautological rules in updates are, as we believe, 
rare in practical applications and can be eliminated easily. 

Our paper is structured as follows: In section 2 we present the general syntax 
of clauses, we also provide the definition of answer sets for augmented logic 
programs as well as some background on logic, in particular on N logic. Section 
3 contains the definition about update programs given in [4] and some related 
concepts. Next, in section 4 we introduce our principal property called WIS 
and introduce our main contribution in this respect. Section 5 contains some 
additional properties about update operator. Finally, the conclusions are drawn 
in section 6. 



2 Background 

In this section, we give some general definitions for our theory. We define our 
theory about logic program, which consists of rules built over a finite set A of 
propositional atoms, where these programs can only contain default negation. 
Later, we introduce strong negation in similar form as in [8]. 
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2.1 Preliminaries 

Formulas are built from propositional atoms and the 0-place connectives T and 
_L using negation as failure (not) and conjunction (,). A rule is an expression of 
the form: 

A «- B l: not B m+1 , ..., not B n . (1) 

Where A and each ll t are atoms. If B\, B m ,not B m+ i, ...,notB n is T 
then we identify rule (1) with rule A. If A is _L then we identify rule (1) with a 
constraint. A program, is a finite set of rules. An Interpretation I is a function 
I : C — » {T, _L} that assigns a truth value to each atom in the language. For 
a given interpretation I and a formula F we say that I is a model of F if 
1(F) = T, in the usual way in classical logic (denoted as / |= L). Similarly 
I is a model of a program P if it is a model of each formula contained in P. 
We restrict our attention to finite logic programs. As it is shown in [3] the 
Gelfond-Lifschitz transformation says that for a program P and a model N C 
Bp (Bp denotes the set of atoms that appear in P) is defined by 
P N = { rule N : rule € P} 

where 

(A Bi,...,B m , not Ci,..., not C n ) N is either: 

a) A Bi , ..., B m , if Vj < n : Cj fL N; 

b) T, otherwise. 

Note that P N is always a definite program (i.e. , a program consisting of pos- 
itive atoms only). We can therefore compute its least Herbrand model (denoted 
as M P n) and check whether it coincides with the model N which we started 
with. 

Definition 1. ([3]) N is a stable model of P iff N is the least model of P N . 



2.2 Adding Strong Negation 

We extend the language adding strong negation (denoted by ) . Syntactically, 
the status of the strong negation operator “ ~ ” is different from the status of 
the operator “not” the difference is the following: not p can be denoted by p — > 
_L, i.e., we use “not” when evidence doesn’t exist about p. In the same form, 
we use when we know that p is false or it doesn’t happen. We can say that 
answer sets are usually defined for logic programs possessing this second kind 
of negation, that as we mentioned previously expresses the direct or explicit 
falsity of an atom. 

A literal, L, is either an atom A (a positive literal) or a strongly negated atom 
~A (a negative literal). For a literal L, the complementary literal , ~L, is ~A if 
L = A, and A if L = ~A, for some atom A. For a set S of literals, we define 
~S = {~L | L € 5}, and denote by Lit a the set A U for all literals over 
A. A literal preceded not is called a weakly negated literal. 

Therefore, a rule is an expression of the form: 
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A i B \ B rn , not Pm+i , . . . , izot B n . (2) 

Where A and each Bi are literals. An Extended Logic Programs (ELPs) P 
is a set of rules (2). For a rule r of the form (2) we define H{r) = {A} and 
B(r) — {Pi , . . . , B rn , not B m - p i ? - - - ? not B n }. 

The concept of modeling ( I \= P) is extended to include strong negation as 
explained in [4] . The concept of answer set can be extended in a similar way, see 
[6]. We will consider only ELPs, in the rest of the paper unless stated otherwise. 

2.3 Nelson Logics 

Now, we give a brief description about N logic, because this gives an alternative 
interpretation of theoretical foundation to ASP [8]. Recall that a natural 
deduction system for intuitionistic logic can be obtained from the corresponding 
classical system by dropping the law of the excluded middle 

F V ~<F 

from the list of postulates. N is the minimal extension of Intuitionistic logic 
with strong negation and axioms of Nelson logic. A formalization of IV 2 can be 
obtained from intuitionistic logic by adding the axiom schema F V (F — > G) V ~>G 
and axioms of Nelson logic. 

The correspondence between the language of logic programs and the 
language of propositional formulas in the presence of two negations is described 
in [8]. The main theorem in [8] readily generalizes to the new setting: we can 
show that two extended programs are strongly equivalent if and only if they are 
equivalent in the _/V 2 logic [8]. 

Is well-known that provability in N can be reduced to provability in 
intuitionistic logic [12]. For example, if we want to know if ~(a A b) — > ->6 is a 
theorem in N, we can just check if (( a ' — > ~<a) A (&' — > ->b)) — > (( a ' V b') — > ->b) 
is a theorem in I. By abuse of notation we can understand ~a as a new atom 
and we only ask if ((~a —> ->a)A(~6 —> ->&)) —> (~a V ~6) —>•->& bj b in our 
example. Similarly, provability in 7V 2 can be reduced to provability in G3. We 
will assume this result freely in the rest of the paper. 

The next theorem is a simple corollary of results in [8] . However notice that 
we do not require strong equivalence. Hence we just need N logic and not the 
full power of 1V 2 . 

Theorem 1. For any Pi and P 2 programs. Pi =jv P 2 implies that for every P 
program, Pi U P and P 2 U P have the same answer sets. 

We will write P b k ol to denote the fact that P\~n ot. The idea for using K 
instead of N is due to two reasons: First, to emphasize the reading P “knows” 
a. Second, because strictly speaking we are translating the connective symbols. 
Similarly we will write Pi =k P2 instead of Pl =jv P 2. We will write Pl = P 2 
to denote that Pi and P 2 have the same answer sets. 
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3 Update Programs 

In [4] the authors define an update sequence, P as a series of two programs (Pi , 
P 2 ) of extended logic programs (ELPs). We say that P is an update sequence 
over A iff A represents the set of atoms occurring in the rules of the constituting 
elements P; of P (1 < i < 2). Giving an update sequence P = (Pi, P 2 ) over 
A, we assume a set A* extending A by new, pairwise distinct atoms rej(r) and 
Ai , for each r occurring in P, each atom A £ A, and each i, 1 < i < 2. We 
further assume an injective naming function N(-, •), which assigns to each rule r 
in a program Pi a distinguished name, N(r, P 2 ), obeying the condition N(r, P,;) 

N(r' ,Pj) whenever i y^ j. With a slight abuse of notation we shall identify r 
with N(r,Pi ) as usual. Finally, for a literal L , we write L,; to denote the result 
of replacing the atomic formula A of L by Ai. Let us consider the definition 
about the update sequence given by Eiter et al. but only in the case of two 
programs and let us make a slight change of notation. Also, our proposal can 
be extended to general case (Pl, P 2 , •••, P n ) in the iterative form as shown in [4]. 
Under certain conditions, which exclude possibilities for local inconsistencies, 
the iterativity property holds. 

Definition 2. [f] Giving an update of two programs P® = (Pi, Pn) over a set 
of atoms A. we define the update program P® = Pi ® Pn over A* consisting of 
the following items: 

(i) all constraints in P\ U Pn; 

(ii) for each r € P\; 

L\ 4— B(r), not rej(r). if H(r) = L; 
rej(r) -e- B(r), ->L 2 . 

(Hi) for each r £ Pn; 

Ln 4- B(r). if H(r) = L; 

(iv) for each literal L occurring in P; 

L\ 4 — Ln L i — L \ . 

Definition 3. [f] Let P = (Pi, Pn) be an update sequence over a set of atoms 
A. Then, S C Lit a is an update answer set of P iff S = S' D A for some answer 
set 5” of P® . The collection of all update answer sets of P is denoted by U(P). 

Given two update programs Pi, Pn, we write Pi = Pn if they have the same 
update answer sets. 

Example 1. This example was taken of [4]. 

Let P be: sleep 4— not tv-on. let Pl be ~tv-on 4— power-failure, 

night. power-failure, 

tv-on. 

watch-tv 4— tv-on. 

Applying definition 2 to both programs, we obtain: 

The single answer set of P = (P, Pi) using definition 3 is, 

S = {power-failure, ~tv-on, sleep, night}, as desired, 
since the only answer set of P® is given by: 

{sleepl, nightl, rej-r3, ~tv-on2, power-failure, power-failure2, ~tv-onl, power- 
failurel, sleep, night, ~tv-on} 
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Definition 4. [f] Let us call two rules r\ and r 2 conflicting iff H(r{) = ~H(r 2 ). 

Definition 5. [f] For an update sequence P = (P, ...,P„) over a set of atoms 
A and S C Lit a based on the principle of founded rule rejection, we define the 
rejection set of S by Rej(S,P) = U™ =1 Rej(S,P), where Rej n (S, P) = 0, and, 
for n > i > 1, 

Reji(S , P) = {r £ Pi | 3r' £ Pj\Rejj(S, P ), for some j £ {*+1, n} 
such that r,r' are conflicting and S |= B(r) U5(r')}. 

Definition 6. [f] For an update sequence P = (P, ...,P„) over a set of atoms 
A and S C Lit a, let us define 

Ref(S, P) = U” =1 {r £ Pi \ 3r' £ Pj, for some j £ {i + 1, ...,n} 

such that r,r' are conflicting and S |= B(r)UB(r')}. 

Note: Observe that Rej and Ref coincide for two programs. Furthermore 
Rej'(S , (P 1 , P 2 ) ) = {r £ Pi | 3r' £ P 2 , such that r and r' are conflicting rules, 
and S \= B(r) U B(r’)}. 

Lemma 1. Let P = (Pi,P 2y ) be an update sequence over a set of atoms A and 
S C Lit a a set of literals. Then, S is an answer set of P iff S is an answer set 
of (Pi U P 2 \ Rej'(S,P)) s . 

Proof: S is an answer set of P iff 

S is the minimal model of (UP \ Rej(S, P)) s (by theorem 4 given in [4]) iff 
S is an answer set of (Pi U P 2 \ Rej(S, P)) iff 
S is an answer set of (Pi U P 2 \ Rej'(S , P)) as desired. 

It is necesary to point out that in [4], update programs do not satisfy many 
of the properties defined in the literature. This is partly explained by the 
nonmonotonicity of logic programs and the causal rejection principle embodied 
in the semantics, which strongly depends on the syntax of rules. 

Next, we present an example where the “equivalence” between two programs, 
Pi and P 2 is not enough to preserve the equivalence when we update each one 
of these programs with another program P. 

Let Pi = { a <— b. } , let P 2 = { a <— a. , b 4 — b. } and let P = {b.} 

Here, P\ and P 2 are two equivalent programs, but Pi © P = P 2 ® P is false. 

The unique answer set of Pi and P 2 is the empty set. The only answer set of 

Pi © P is {a, b}, on the other hand, the only answer set of P 2 © P is {6}. 

Note that P © Pi = P © P 2 is false , too. 



4 Weak Irrelevance of Syntax 

Within our main results, we can see that the proposal presented in [4] satisfies 
WIS considering programs without tautologies. 
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Example 2. This example shows how WIS fails. 

Let P be ~d. Let P\ be h. Let P 2 be h. 

d<— h. d-s— d. 1 h— d. 

Here, Pi and P 2 are strongly equivalent. However, when we update P © Pl, 
it has only an answer set {h, d} and the update P © P 2 doesn’t have answer 
sets, therefore WIS fails,. 



4.1 Main Results 

We are now going to define a new framework for logic program updates that 
satisfies Weak Irrelevance of Syntax. 

Definition 7. P is tau-free w.r.t. a signature L if no rule of the form l G- l, a 
belongs to P, where a could be empty. 

Lemma 2. Let P a program and a a literal. Suppose P b k cl, and M |= P. 
Then 3 r € P, where r has the form a 4 — (3 such that M \= (3. 

Lemma 3. Let P 2 , {c} and {r} be tau-free programs, where r G Pi, and M 
an interpretation. Suppose P 2 \~k c, M |= B(r) A P(c), and M (= P 2 . Also, r 
and c are conflicting rules. Then 3 r'sP 2 I r' is a conflicting rule with r and 
M (= B{r) A B{r'). 

Proof: Let c and r be formulas of the form x 4 — 6 and 4 — (3 respectively, 
also r G Pi. So, M |= P(r), and c and r are conflicting rules. Furthermore, 
M |= P 2 U {$} (i.e., P 2 U {^} is consistent). By the deduction theorem P2U{9} \~k 
x. By lemma 2: 3 r' G P 2 U {0} such that r' is of the form x 4— B{r') and 
M |= B{r'). Moreover r' G P 2 , due to the restriction that considers only tau-free 
programs. So, we know that r and r' are conflicting rules and as M |= B{r') 
then M \= B{r) A B(r'). 

Lemma 4. Let c be a tau-free rule. Let Pi and P 2 be tau-free 
programs. Suppose S is an answer set of {Pi^P^) and P2 \~k c. Then 
Rej(S , (Pi, P 2 )) = Rej(S, (Pi, P 2 U {c}). 

Proof: We need to proof two cases: 

Case 1) Rej(S, (Pi,P 2 )) C Rej(S, (Pl,P 2 U {c}). Clearly holds. 

Case 2) Rej(S, (Pi, P 2 U {c}) C Rej(S , (Pi, P 2 )) 

Let r G Rej(S , (Pi, P 2 U{c})) then 3 r' G (P 2 U{c}) such that S f= B(r)AB(r'). 
Here, we have two cases: 

a) If r' G P 2 then r G Rej(S , (Pi,P 2 )) , as desired. 

b) If r' = c, we have r G Pi, P 2 \~k c, S \= B(r) A B(c), r and c are 
conflicting rules, and S \= P 2 because S is an answer set of (Pl,P 2 ). Then, by 
lemma 3, 3 r” G P 2 | r and r” are conflicting rules and S |= B(r) AB(r”). Hence, 
r £ Rej(S, {Pi , P 2 ) ) , as desired. 
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The following two notes are necessary for Lemma 5. 

Note a: Ref only erases clauses from P\ (not from P2). 

Note b: P' \=k c implies P' =k P' U {c}. 

Lemma 5 . Let Pi, P2 and { c} be tau-free programs. If P2 \~k c then P\ ® P2 = 
Pi © (P 2 U {c}). 



Proof: 

S is an answer set of P\ © P2 iff by lemma 1 

S is an answer set of (Pi U P2) \ Ref(S, (Pi, P 2 )) iff by note a 

S is an answer set of (Pi \ Rej' (S, (Pi, P 2 ))) U P 2 iff by lemma 4 

S is an answer set of (Pi \ Rej'(S, (Pi, P 2 U {c}))) U P 2 iff by note b 

S is an answer set of (Pi \ Rej'(S, (Pi, P 2 U {c}))) U (P 2 U {c}) iff by note a 
S is an answer set of (Pi U (P 2 U {c}) \ Rej'(S, (Pi, P 2 U {c})) iff by lemma 1 
S is an answer set of Pi © (P 2 U {c}) 



Hence Pi © P 2 = Pi © (P 2 U {c}) as desired. 



Lemma 6 . Let P, Pi and R be tau-free programs. Suppose, that Pi b k R- Then 
P © Pi = P © (Pi U R). 

Proof: By induction on the size of R. 

Base case: Let R = 0, then the result is immediate. 

Induction Hypothesis: Let Pi, R, and {c} be tau-free programs. We need 
to show: if Pi b k R U {c} then P © Pi = P © (Pi U (P U {c})). 

But, we know that Pi \~k R U {c} means that Pl \~k R and Pi \~k c then 
applying induction hypothesis P © Pi = P © (Pi U R) 

(I) By lemma 5, PiUP b x c then Pffi(P 1 UP) = Pffi ((PiUP)U{c}) (II) 

Now, from (I) and (II) we have P © Pi = P © ((Pi U R) U {c}) 

Since P © ((Pi U R) U {c}) = P © (Pi U (R U {c})) we obtain 
P © Pi = P © (Pi U (R U {c})) as desired. 

Theorem 2 . Let P, Pi and P 2 be tau-free programs under the same language C. 
if Pi = K P 2 then P © Pi = P © P 2 

Proof: i) P © Pi = P © ( Pi U P 2 ) applying lemma 6 

Besides, if Pi =k P 2 then P 2 =k Pi and applying lemma 6 to P © P 2 we have 
ii) P © P 2 = P © ( P 2 U Pi ) 

Also, P © ( Pi U P 2 ) = P © ( P 2 U Pi ) 

Finally, by transitivity between i) and ii) we have P © Pl = P © P 2 as desired. 

It is necessary to stand out that only lemma 3 depends on the properties of 
the operator. Therefore, we can say that any operator satisfying lemma 3 would 
have the WIS property, of course, assuming the answer set semantics. Next, we 
present an example that satisfies WIS into our new framework. 
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Example 3. This example shows that WIS holds. 

Let P be: ~a. Let Pi be: a-S— b. Let P 2 be: a<— b. 

b. cb — a. ch — a. 

d<— b. 

Here, P\ and P 2 are strongly equivalent. If we update P ® Pi we obtain that the 
answer set is {b, d, a} and the update P®P 2 has the same answer set, therefore 
WIS holds. 



5 New Properties of the Update Operator © 

As we have mentioned, the interpretation given in [4] of the AGM postulates ex- 
presses a very demanding principle of irrelevance of syntax, because of the AGM 
postulates were introduced for monotonic logics. After having revised several 
proposals about update programs such as [2,4,1], we have some interesting prop- 
erties of the style of the AGM postulates for update programs, but in our context 
of answer set semantics that consider the two notions: Belief and Knowledge. We 
call them BK-ASP properties. 

Definition 8 (BK-ASP). 

K1 : P ® x is a program. 

K2: P ffi x I ~k x. 

K3: x =k- L implies (P ® x ) =_fc_L . 

Kf: P LI x h k P ® x. 

K5: if Pi = K P 2 then P ® Pi = P ffi P 2 . ( WIS) 

K6: if Pi h k R then (PffiPi)UP=Pffi (Pi U R). 

We consider that the result of update is a program, and a program is consid- 
ered as a theory, as we mention in the introduction. As we can see, our second 
( K2 ) property guarantees that the input sentence x is accepted in P ffi x. With 
respect to our third property ( K3 ), it says that if x is inconsistent (at the 
knowledge level) then (Pffi x) can not be consistent. With respect to our fourth 
property (Kf ) , it says that an expansion always knows more (or equal) than 
an update. Our fifth ( K5 ) property says that update should be analyzed on the 
knowledge level and not on the syntactic level. For this reason, two logically 
equivalent sentences (at the knowledge level) should lead to equivalent updates 
(at the belief level) . This is the most interesting property in our proposal and it 
is resolved and supported by our theorem 2. Next, we present our main result 
with respect to BK-ASP properties. 

Theorem 3. The update operator ffi satisfies the six BK-ASP properties for 
tau-free programs. 

Proof: Our first four properties follow directly by construction. The fifth 
property follows by theorem 2. The last property can be proven as follows: 
Under the assumption Pi b k R is easy to check that P ffi Pi = (P ffi Pi) U R, by 
lemma 6 (P ffi Pi) U P = P ffi (Pi UP), as desired. 
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6 Conclusions 

We studied new properties of the update operator. Different from other ap- 
proaches we considered a view of answer sets based on Nelson logics. This al- 
lowed us to reconsider the AGM postulates in a more solid framework. Our 
main contribution is the proposal of six properties for an update operator and 
the proof that ® satisfies all of them. However, we should continue working in 
this line, since there are properties such as the following: 

p®p 1 ®q = p®p 2 ®q 

for every program P and Q, that are not always satisfied, due to our property 
is just satisfied by the right. 

References 

1. C.E. Alchourron, P. Gardenfors, and D. Makinson. On the logic of Theory Change, 
Partial Meet Functions for Contraction and Revision Functions. Journal of 
Symbolic Logic, vol. 50 pp. 510-530, 1985. 

2. J. J. Alferes, L. M. Pereira. Logic Programming Updating - a guided approach, in: 
A. Kakas, F. Sadri (eds.), Computational Logic: From Logic Programming into the 
Future - Essays in honour of Robert Kowalski, volume 2, pp. 382-412, Springer 
LNAI 2408, 2002. 

3. G. Brewka, J. Dix, and K. Knonolige. Nonmonotonic Reasoning: An overview. 
CSLI Publication Eds. Leland Stanford Junior University, 1997. 

4. T. Eiter, M. Fink, G. Sabattini, and H. Thompits. Considerations on Updates of 
Logic Programs. In M.O. Aciego, L.P. de Guzmn, G. Brewka, and L.M. Pereira, ed- 
itors, Proc. Seventh European Workshop on Logic in Artificial Intelligence JELIA 
2000, vol. 1919 in LNAI, Springer 2000. 

5. M. Gelfond and V. Lifschitz. The stable model semantics for logic programs. Pro- 
ceedings of the Fifth International Conference on Logic Programming 2 MIT Press. 
Cambridge, Ma. pp. 1070-1080. 

6. M. Gelfond and V. Lifschitz. Classical negation in logic programs and Disjunctive 
databases. New Generation Computing, pp. 365-387, 1991. 

7. H. Katsuno and A.O. Mendelzon. Propositional knowledge base revision and min- 
imal change, Artificial Intelligence vol. 52, pp. 263-294, Elsevier, 1991. 

8. V. Lifschitz, D. Pearce, and A. Valverde. Strongly Equivalent Logic Programs. 
ACM Transactions on Computational Logic, vol. 2:526-541, 2001. 

9. M. Osorio, J.A. Navarro, and J. Arrazola. Equivalence in Answer Set Programming 
(extended version), Proceedings of LOPSTR 01, LNCS 2372, pp. 57-75, Springer- 
Verlag, Paphos, Cyprus, November 2001. 

10. M. Osorio, J.A. Navarro, and J. Arrazola. Applications of Intuitionistic Logic in 
Answer Set Programming, accepted in Journal of TPLP , 2003. 

11. M. Osorio, and F. Zacarias. “Irrelevance of Syntax in updating answer set pro- 
grams”, to appear in Workshop on Logic and Agents into Proc. of Fourth Mexi- 
can International Conference on Computer Science (ENC’ 03) Apizaco Tlaxcala, 
Mexico 2003. 

12. E. Rasiowa. An algebraic approach to non-classical logics. American Elsevier Pub- 
lishing company, INC. New-York, 1974. 




Minimal Keys in Higher-Order Datamodels 



Attila Sali 

Alfred Renyi Institute of Mathematics 
Hungarian Academy of Sciences 
Budapest, P.O.B.127 H-1364 Hungary 
saliSrenyi .hu 



Abstract. We study keys in higher-order datamodels. We show that 
they are equivalent with certain ideals. Based on that we introduce an 
ordering between key sets, and investigate systems of minimal keys. We 
give a sufficient condition for a Sperner-family of SHL-ideals being system 
of minimal keys, and give lower and upper bounds for the size of the 
smallest Armstrong-instance. 



1 Introduction 

The relational datamodel gave rise to theoretical research in several directions. 
Dependency structures were investigated as first-order logical sentences that are 
supposed to hold for all database instances [3,19]. On the other hand, their 
combinatorial investigations were fruitful resulting in nice problems, concepts, 
even as far topics as design and coding theory [8,9,10,5]. 

The relational model has been extended or generalized to nested relational 
model [15], object oriented models [16], and object-relational models. The impor- 
tant structures of all these were captured by the lriglrer-order Entity-Relationship 
model [17,18]. The semi-structured data and XML treated in [1] can also be con- 
sidered as an object-oriented model. 

The major new structure in all these models is the introduction of construc- 
tors that allow us to form complex data values from simpler ones. The depende- 
cies of the relation model can be generalized to these lriglrer-order models, and 
the axiomatization of certain dependencies was carried out in [11,12,13,14]. On 
the other hand, the induced combinatorial structures have not been investigated 
thoroughly yet. It is important from the point of view of schema design, to iden- 
tify what kind of attributes can form key systems. The aim of the present paper 
is to take the first steps in that direction, thus generalizing the work of [6,7, 
8]. In Section 2 the neccessary definitions are recalled. In Section 3 the funda- 
mental concept of SHL-ideals is investigated. Section 4 contains results on the 
combinatorial structures. 

2 Higher-Order Datamodel 

In this section we recall the basic definitions of the higher-order datamodel. 
Because of the obvious space limitations we restrict ourselves to the very nec- 
cessary facts. Since the present paper can be considered as a continuation of [14] 
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from the present volume, our notations follow [14]. Let a finite universe 11 be 
given, with countably infinite domains dom{A) for all A G U. The elements of 
11 are called simple attributes. Furthermore, let L be a set of labels, such that 
11 n L = 0. Let A i U U L. 

Definition 2.1. The set N of nested attributes is the smallest set with A € IN', 
11 C ZNT, and satisfying the following properties: 

► for lei and X], . . . , X' n G X we have X(X(, . . . , X' n ) € IN'; 

► for X G £ and X' G X we have X{X'} G N; 

► for Xi,... and X[, . . . , X' n G N we have Xi(X() ® . . . ® X n (X' n ) G 

X. 

A is called null attribute, X(X (, . . . ,X' n ) record attribute, X{X'} set attribute, 
and Xi(X() ® . . . ® X n {X' n ) (disjoint) union attribute. 

The domains are extended from simple attributes to nested attributes. 

Definition 2.2. For a nested attribute X G N a domain is assigned as follows: 

► dom{ A) = {T}; 

► dom(X(X[,. . .,X' n )) = {(Xi : v lr ..,X n : v n ) \ Vi G dom{X[ ) i = 1, . . . ,n} 
with labels Xi for te attributes X[; 

► dom(X{X'}) = Ur=o {{^i> • • • > v n} I v i e dom(X') i = 1, . . . , n}, i.e., each 
element of dom(X{X'}) is a finite set with elements in dom.(X'); item- 
dom(X 1 (X' 1 ) ® . . . ® X n (X' n )) = {(X, : : vf) \ Vi G dom(X-) 1 = 1,... , n}. 

Certain restructuring rules were introduced in [2,14]. The first few state that A 
in record attributes can be added or removed, order does not count in record or 
union attributes, and applying the same constructor to equivavlent attributes 
results in equivalent attributes, again. The last three are there beacuse the union 
constructor allows partitioning the instance into subsets containing only elements 
of a particular label. 

Definition 2.3. = is the equivalence relation generated by the following rules: 

► A = XQ; 

► X(X' 1 ,...,X’ n ) = X(X' 1 ,...,X' n ,\); 

► X{X[, . . . , X' n ) = X(x; (1)! . . . , X' a{n) ) for any permutation a; 

► Xi(X[) ® . . . ® X n {X' n ) = Xi{X' a ^) ® . . . ® X n (X' a ^)for any permutation 

v; 

► X(X[,... ,X' n ) = X(Y u ... ,Y n ) iff X[ = Yi for all i = 1,... ,n; 

► X^X[) © . . . ® X n {X’ n ) = X^Fr) © ... © X n (Y n ) iff X' = Y t for all i = 

1,... ,n; 

► X{X'} = X{F} iff X' = Y ; 

► X(X(, . . . , Yi(Y 1 / )©. . .©F m (F4), • . • ,X' n ) = Fi(X(, ... ,Y{,. . . ,X' n )®...(B 
Y m (X[,... , Y^, , X' n ); 

► X{X!(X[) © ... © x„(x;)} = X(X!{X[}, . . . ,x„{x;»; 
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In the rest of the paper 3sf is identified with the set of equivalence classes 3\f/ =. 
An ordering is introduced between nested attributes, that is between equivalence 
classes of nested attributes. In the following we will write = instead of =, and 
we say that Y is a subattribute of X if Y < X holds for some representatives Y 
and X of the equivalence classes of Y and X, respectively. 

Definition 2.4. For X. Y £ AT Y is called a subattribute of X, iff Y < X 
holds, where the partial order < is generated by the following rules: 

► X > A for all X & N; 

► X(Yi, ... ,Y n ) > X(X; (1) , . . . ,X' a(m) ) for some injective a: {1, . . . ,m} -A 
{!,••• , n} and Y a{i) > X' a{i) for i = 1, . . . , to; 

► X 1 (Y 1 ) ®...®X n (Y n )> X^XQ © . . . © X n {X' n ) if Yi > X[ for i = 1 , . . . , n; 

► X{X'} > X{Y) iff X' > Y; 

► X(X ?1 {A},... ,X ifc {A}) >X {Hi ... jifc} {A}; 

The last case of Definition 2.4 requires some explanation. Since XjX^X]) © 

. . . © X„(X(J} is equivalent with X(Xi{X[}, . . . , X n {X' n }), subattributes 
of type X{X il {X' ii }, . . . ,X ik {X' ik }) occur in S(X) for every subset / = 
... ,ik} C {1,2,... ,n}. On the other hand, these latter subattributes 
are equivalent with X {X^ (Xf )©...© X ik (X- k ) }, thus we obtain subattributes 
of type “X{A}” for all subsets / of the indices. These subattributes need to 
be distinguished from each other, which is done by introducing new labels X/ 
and writing X/{A}. For example, XgjA} = A, X/ 1)2) ... )fl }{A} = X{A} and 
X{i}{A} = X(Xi{A}). (A tuple t has 7r^{ A > = T iff it has a nonempty ele- 
ment of label X,; for some i £ I.) 

For a nested attribute X £ X, §(X) denotes the poset of subattributes under 
the ordering given in Definition 2.4. This poset is a lattice, but not neccessarily 
distributive [14]. If Y < X, then there is a natural projection ny : domfX) — > 
domfY). If X = Y, then we have both, X < Y and X > Y and the projections 
7 Ty and are inverses of each other. 

A weak functional dependency on S(X) is an expression — » Zi | i £ /[} 

with I being a (finite) index set and ^i,Z C §(X). If |/| = 1, a functional 
dependency is obtained. A finite subset r C dom(X) is called an an instance 
of X. r is said to satisfy the weak functional dependency {^7 — >• Zi \ i £ /]} 
(notation r |= { y* — > Zi | * £ if) iff for every pair of tuples ti, <2 G r there exists 
an i £ / such that ny(ti) = nyfo) for all Y £ ^ implies 7T^(fi) = 7r^(f 2 ) for 
all Z £ Zi . Note, that if |/| = 1, we obtain the usual concept of satisfying a 
functional dependency. 

We need one more definition. 

Definition 2.5. Two subattributes Y, Z £ S(X) are called semi-disjoint iff one 
of the following holds: 

1. Y > Z or Z >Y ; 

2. X = X(X 1; . . . , X n ), Y = X(Yi, . . . , Y n ), Z = X(Z U , Z n ) and Y u Z £ 
S(Xj) are semi-disjoint, for all i = 1, . . . , n; 

3. X = Xi(X0 © ... © x„(x;), Y = X 1 {Y{) © ... © X n {Yf), Z = Xi(ZQ © 
... © X n {Z' n ), and Y[, Z\ £ S(X') are semi-disjoint, for all i = 1, . . . , n; 
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3 SHL Ideals 

In this section we study an important concept of the theory of higher order 
datamodels. This is an ideal of S(X) with additional closure properties, which 
was introduced in [14]. 

Definition 3.1. Let X be a nested attribute. An SHL-ideal is a subset A C S(A) 
with the following properties: 

TAG A; 

2. Y G A and Y > Z for Z G S(X) implies Z G A; 

3. ifY,ZcA are semi-disjoint, then Y U Z G A, where U is the union operator 
of the lattice S(X); 

4 • a) if X/{A} G A and if Aj{A} ^ A for {i\, i 2 , . . . , ik} = I C J, then 
X(X,AX' 7i },... ,I,JI'})gJ; 

b) if Xi{ A} G A and if Xi{ A} ^ A for all i G I , then there exists a partition 

I = h U I 2 with X h {A} i A, X l2 {A} i A and X v {A} G A for all I 1 Cl 
with I' fl I\ ^ 0 ^/'n/ 2 ; 

c) if G A and X 7 -{A} ^ A (for I~ = {i G {l,...,n} | 

X(Xj{A}) ^ A}), then there exists some i G I + = {1, ... ,n}\I~ such 
that for all JCT we have ^Gu{i}{A} G A; 

d) ifXj-{ A} G A and for all i G I + there is some JCT with ^ 

A, then for all l G I + and all K C I~ with Xx{\} A we also have 
Xku{C}{M ^ T i 

5. if Xj{ A} G A and Aj{A} G A with I n J = 0, then X 7u j{A} G A; 

6. a) if X = X(X 1 ,X 2 ,...X n ), then A, = { Y, , G S (XJ | X(A,.., ,Y lt ... , 

A) G T} is an SHL-ideal; 

b) if X = Xi(X[) ® . . . ® X n (x' n ) and T ^ {A}, then the set = {Yi G 
§(Xi) | ATi(A) ® . . . ® Xi(Yi) © . . . ffi X„(A) G A} is an SHL-ideal; 

c) if X = X{X'} and A ± {A}, then 5 = {Y G S(X') | X{Y} G A} is a 
semi-SHL-ideal. 

An ideal is called semi-SHL-ideal iff it satisfies properties 1,2,4 and the modifi- 
cation of 6 where we require only semi-SHL-ideal instead of SHL-ideal. 

Lemma 3.1. Let X be a nested attribute and r be an instance of it. Let t\,t 2 G r 
and define ACt lt t 2 = {Y £ §P0 | fty (ti) = Tty (t 2 )}. Then ACt lt t 2 an SHL-ideal. 

Proof of Lemma 3.1: The first two properties are obvious, using the fact that 
if Y > Z in S(X), then ir* (f) = 7Ty(TTy(t)) for any tuple t. 

For 3., assume that Y, Z G A are semi-disjoint. By Definition 2.5 either Y and Z 
are comparable in the lattice S(AT), or they are constructed from semi-disjoint 
components via tuple or union constructors. In both of these cases easy induction 
completes the proof using such properties of §(A), as U of tuples is the tuple of 
U of the components, etc. 

4. (a): 7r y 7 {A}(^ 1 ) 7 ^ 7r Y J {A}(^ 2 ) means that one is 0> the other is {T}, say 
n Xj{ A}(ti) = 0- This implies that 7r ^{ a} (^ 1 ) = thus 7r£r A i(t2) = 0, as 
well. This means .a.ja'J)^) = *x(x tl {x' tl },...,x ih {xi k })fo)- 
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4.(b): Assume 7 t£/{a}(^i) = Tvj{A}(* 2 ) but ^ 3”> that is 7r^r A }(ti) ^ 

7r* } (f 2 ) for all i £ I. Then for alii £ I exactly one of t\ and t 2 has an element 
of type (Xj : vf) with £ dom(Xi). Let Jo = {i | {A} = T}, Ii = I — Iq. Let 

/' C I, then 7r .Y J / { A } (ti) = ^{A}^ 2 ) iff I' D h ± 0 ^ I' D I 2 . 

4.(c): Xn... >n } £ X implies that either both of t\ and t 2 are the empty tuple, or 
both of them are non-empty, i £ I~ means that exactly one of the two tuples 
have an element of label X, . X/-{A} £ X means that t\ and t 2 differ on the set 
I, that is one of them has no element of type (X,; : vf) with vt £ dom(Xi) for 
i £ I~ , the other one has. Say, 7rjf (*i) = 0- Then there exists an i £ /+, such 
that t\ has an element of type (Xj : vf) with m £ dom(Xi). Since this index i is 
from I + , t 2 must also have an element of type (Xj : vf) with i>j £ dom(Xi). In 
this case 7rf ju{i}{A} (ti) = ^ juw{ a}(* 2 ) = T for a11 J £ J ~ ■ 

4. (d): If Xj- {A} £ T and for all i £ I + there is some J C I~ with XjupyjA} ^ T, 
then none of t\ or t 2 has an element of type (Xj : v.;) with Vj £ dom(Xi) for all 
i £ I + . If Xk{ A} ^ T for K C I~ , then one of t\ or t 2 has an element of type 
(Xj : Vi) with Vi £ dom(Xi) for some i £ K, while the other has none. Then if 
l £ /+, then the same holds for K U {£}, as well. 

5. is obvious, and to prove 6. (a)-(c), one can use induction. ■ 

We need here a corollary of the Central Lemma of [14]. 

Lemma 3.2. Let X be a nested attribute such that the union constructor ap- 
pears in X only inside a set constructor. Let L) = {!Ki,tK 2 , ■ ■ ■ ,34^} be a 
Sperner family of SHL-ideals. Then there exist tuples tQ,t\ £ dom(X) for all 
i = 1, 2, . . . , k, such that we have n y (i*) = 7 Ty ( t \ ) iffY£ ! Hj . Furthermore, if 
tt % (T a ) = 7 ( t J b ) a, b £ {0, 1}, i ^ j, for some Z £ §(X), then Z is constructed 
only from subattributes of type X/{A}. 

PROOF of Lemma 3.2: The Cover Lemma of [14] is applied separately for each 
34i to obtain the tuples t l 0 ,t\ £ dom(X). The only thing we have to take care 
of that during the inductive construction of the tuples, the constants from the 
domains of simple attributes used for 3{j must be distinct from those used for 
TCj if i j. This ensures that tuples constructed for 3{j cannot agree with tuples 
constructed for J~Cj on subattributes having a non- A component, for i ^ j. I 

4 Minimal Keys 

In this section the idea of keys is generalized for the higlrer-order datamodel. 
In the relational model a subset X of attributes is a key iff 3C — > X. This could 
be interpreted in two ways if the relational model is considered as a special 
case of the higher-order model. That is, the nested attribute X(Ai,A 2 , . . . , A„), 
where Aj’s are simple attributes is equivalent with the classical relational schema 
X{Ai, A 2 , . . . ,A n ). A subset of attributes X = {A.^, A i2 , . . . ,Aj r } could be 
identified with the set of subattributes (X(Aj 1 ), X(Aj 2 ), . . . ,X(Aj r )} or with 
the subattribute X(Aj 15 Aj 2 , . . . , A ir ). While the first one considers subsets of 
the lattice S(X), the second refers to elements of it. As it will be seen, the two 
things are different manifestations of the same general concept. 
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Definition 4.1. Let X be a nested attribute with subattribute lattice S(X). A 
subset X C §(X) is a key iffX—t S(X) holds. That is, in an instance of §(X) 
there exists no two tuples t\ and t 2 such that 7rj£(ti) = n ^(t 2 ) for all K £ X. 

Let X be key and consider the SHL-ideal shl(X) generated by X. Clearly, shl(X) 
is also a key. This converse is also true. 

Theorem 4.1. Let X be an SHL-ideal ofS(X), which is a key. Let S C X be 
any generating subset ofX. Then S — > S(X) also holds, i.e., S is also a key. 

PROOF OF Theorem 4.1: The proof of Theorem 5.1 of [14] is an applied. 
Consider the one-element set of FDs X = {X — >■ S(X)}, and assume that {S — > 
S(X)} ^ S + . That is, there exists a Z £ S(X), such that {S — > {Z}} ^ E + . Let 
Z be the filter generated by Z , i.e., Z = {Y \ Y > Z} and let If = S(X) — S — Z. 
Clearly, S H Z = 0. Let r be an instance such that r {S {Z}} 4=> r \f= 
{S — > {F} | Y £ Zj}. That is, there exists ti,t 2 £ r such that 7rg(t i) = Kcfa) for 
all G £ S, but 7 Ty (ti) yf 7 (^ 2 ) for all Y £ Z. Take a maximal U'CU such that 
7 r£ (ti) = tt§ (t 2 ) for all U £ ll'. If r 1= {S U U' -)■ {Y} j V £ Z U (U - U')|}held, 
then If' yf It would hold, and there would exist some V £ It — It' with 7Ty(ti) = 
TTy (t 2 ), which contradicts the maximality of If'. Thus, there exists IT C U such 
that r^lSUlt' — > {Y} \Y eZU(lt — lt')|. Take It' maximal with respect to 
this property. Then 3 = 5 U It' is an SHL-ideal, as it is shown in [14]. However, 
shl( S) = X C 3, so 3 is a key, in particular r |= {S U If' — > {F} | Y £ S(X)j}, 
that contradicts the choice of If ' . ■ 

Theorem 4.1 allows us to identify keys with their generated SHL-ideals and 
systems of keys with families of SHL-ideals. Two keys are said to be equivalent, if 
they generate the same SHL-ideal. We introduce an ordering on the (equivalence 
classes of) keys as follows 

X\ Z: X 2 ^ shl(X 1 ) C shl(X 2 ). (1) 

A key is said to be minimal, if it is minimal under the ordering A. Thus, a system 
A of minimal keys corresponds to a Sperner-family of SHL-ideals. 

Example Let X = X(A\, A 2 , . . . , A n ) be a nested attribute, where Ay’s are sim- 
ple attributes. Then any pair of subattributes are semi-disjoint, so any SHL-ideal 
is a principal ideal. The SHL-ideal generated by {X{A il ), X(A i2 ), . . . ,X(A ir )} 
happens to be the principal ideal generated by X(Aj 1 , A; 2 , . . . , A, r ). This shows 
that Definition 4.1 is a sound generalization of the classical relational case. 

Let X be a key, furthermore, let X = shl(X). The maximal elements of X 
under the ordering < of S(X) form a generating set of X, which is called the 
canonical generating set of X. Whenever it is not stated explicitly otherwise, we 
will consider the canonical generating set of an SHL-ideal. 

Definition 4.2. A set A C S(X) of subattributes is called an antikey iff A 

SPO- 

Using Theorem 4.1 we can prove the equivalence of antikeys and SHL-ideals. 

Theorem 4.2. Let A be an antikey and let S = shl{A) be the SHL-iedal gener- 
ated by A. Then S (and consequently any generating set of it) is an antikey. 




248 



A. Sali 



Proof of Theorem 4.2: Assume indirectly that A is an antikey, but S = 
shl(A) is not, that is, shl(A) is a key. Then applying Theorem 4.1 we obtain 
that any generating set of shl(A), in particular A also, is a key, a contradiction. 

■ 

The ordering A defined by (1) can be extended to (equivalence classes of) an- 
tikeys, as well. The maximum antikeys form a Sperner-family 21 of SHL-ideals. 
Let A = , X r } be the system of minimal keys. Then the set of max- 

imum antikeys is 21 = {A±,A 2 , ■ ■ ■ ,A S } so that 

X,; (Z Aj for all pairs i,j and the Ay’s are maximal under this condition. (2) 

Let A = ■ ■ ■ , X r } be a Sperner-system of SHL-ideals, furthermore let 

2t = {Ai,A 2 , ■ ■ ■ , A s } be the Sperner-system of SHL-ideals defined by (4.2). In 
this case 21 is denoted by 21 = A -1 . 

The question is which Sperner-systems of SHL-ideals occur as families of min- 
imal keys'! In the relational model the answer was given by Armstrong and 
Demetrovics [4,6]. Namely they proved that every Sperner-family of subsets of 
attributes can be a system of minimal keys. However, the analogous statement 
does not hold in general for the higher order datamodel. Consider the nested 
attribute X{X 1 (A) ® X 2 (B)} = X(X 1 {A}, X 2 {B}) and its subattribute lattice 
S(X) shown in Figure 1. Let us take A = {{{X{A}}, {A}}}, that is the system 



X(X 1 {A},X 2 {B}) 

A(Ai{A},A 2 {A}) X(Xi{A },X 2 {B}) 




X(Ah{A}) A(A 1 {A},A 2 {A}) X(X 2 {B}) 




X(Xl{A}) A'{A} X(X 2 {A}) 




A 



Fig. 1 . The lattice S(X{A'i(A) © A 2 (S)}) 



of minimal keys consisting of a single SHL-ideal generated by {X{A}}. Bea- 
cuse {A{A}} is a key, there are only two possible tuples in an instance, namely 
<i = 0 and t '2 being any nonempty tuple. The system of maximal antikeys 21 
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consists of two SHL-ideals, A\ = shl(X(Xi{A})) and A 2 = shl{X{X 2 {B})). By 
Lemma 4.1 we would need at least 3 tuples to realize this antikey system. 



Definition 4.3. Let A = {Xi,X 2 , ■ ■ ■ ,X r } be a Sperner- system of SHL-ideals. 
r is called an Armstrong-instance for A if the minimal key system determined 
by r is A. If there exists an Armstrong instance for a given A, then s(A) denotes 
the smallest possible number of tuples in an Armstrong-instance of A. Otherwise 
define s(A) = oo. 

The next lemma is a generalization of the key lemma from [7]. 

Lemma 4.1. Let A = {X±,X 2 , ■ ■ ■ ,X r } be a Sperner-system of SHL-ideals. Let 
21 = {A\, A 2 , . . . , A s } be the system of maximal antikeys belonging to A. Then 




(3) 



PROOF of Lemma 4.1: If s(A) = oo, then we have nothing to prove. Otherwise, 
let r be an instance of minimum number of tuples. For ti ^ tj £ r let 1K J; 
be the SHL-ideal of subattributes where the two tuples agree by Lemma 3.1. 
This is an antikey, so there exists an Ak with TQj C Ak- On the other hand, 
Ui<*<j<|r| — Ui<fe<|a| J ^ fe mus t hold. Thus, the number of pairs of tuples 

in r is at least as large as the number of maximal antikeys. ■ 

Consider X = Xi(XQ ® X 2 (X 2 ) ® . . . ® X n (X' n ). An instance r of X can be 

partitioned r = r\ Ur 2 U . . . Ur„ where ry consists of the tuples of type (A,; : vf). 
A set X = {Yi,Y 2 , . . . , Y m } C S(X) is a key iff is a key in S(Xj) for 

all 1 < i < n. Note that if Yj = Xi (Y() ® . . . ® X n (Y£), then = 

{X i (Y i 1 ),X i (Y i 2 '), . . . ,X i (X i m )}. This observation allows us to consider only the 
cases when the union constructor occours only inside of a set, list or multiset 
constructor. 

Theorem 4.3. Let X be a nested attribute and assume that the union construc- 
tor occours in X only inside of a set constructor. Let A = {Xi,X 2 , . . .X n } be 
a Sperner-family of SHL-ideals of §(X). If the canonical generating set of Xi 
contains a subattribute that has a simple attribute in its construction, for all 
1 < i < n, then A has an Armstrong-instance and s(A) < 2|A~ 1 |. 

Proof of Theorem 4.3: Let A~ x = {Ai, . . . , Ak\- Lemma 3.2 provides tuples 
t' 0 ,t\ i = 1,2,... , k such that ivy (4q) = ny (t\) iff Y £ At. This ensures that Ai 
is an antikey for all i. On the other hand, if ir^ (V a ) = tt % ( t 3 b ) for some Z £ §(X), 
a,b £ {0, 1}, and 1 < i < j < k, then Z is constructed only from subattributes of 
type X/{A}, thus no two tuples can agree on every subattribute in the canonical 
generating set of X s for all s, which implies that each 3C S is a key. The number 
of tuples in this Armstrong-instance is exactly 2|A _1 |. ■ 

The condition in Theorem 4.3 is sufficient, but not neccessary for the existence 
of Armstrong-instance. For example, consider S(X{Xi(A) ® X 2 (l?)}) shown on 
Figure 1. If we take A = {sfti({X(Xi{A}, X 2 {A})})}, then A -1 consists of two 
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SHL-ideals, A\ = shl(X(Xi{A})) and A 2 = shl(X(X 2 {B})). Then three tuples 
are constructed in Lemma 3.2, namely tg = tg = 0, t\ = ( X 2 : b ), and t\ = (X± : 
a). These three tuples clearly form an Armstrong-instance for A. 

5 Conclusion 

In the present paper we investigated keys and antikeys in the presence of vari- 
ous constructors in the higher order datamodel. We proved that keys, as well as 
antikeys, correspond to certain ideals with additional closure properties. These 
are SHL-ideals, subsets of the subattribute lattice. We showed that the system 
of minimal keys correspond to Sperner-system of SHL-ideals and exhibited a 
sufficient condition when such a Sperner-system occurs as a system of minimal 
keys. The candidate key systems not covered by the sufficient condition of Theo- 
rem 4.3 are the patological cases in the sense that having a key SHL-ideal whose 
generating sets are constructed of subattributes of type X/{A} entirely limits 
the possible number of tuples to a finite value. These types are not likely to 
occure in practice. 

Demetrovics [6] used his construction to determine the maximum possible 
number of minimal keys in a relational database schema. Our results may turn 
out to be useful to answer the similar problem in the presence of various construc- 
tors of the higher order datamodel. The SHL-ideals of the subattribute lattice 
form a lattice themselves under the set containment as ordering. We conjecture 
that the largest Sperner-system of this latter lattice has an Armstrong-instance 
(true for the relational model). 
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Abstract. Traditional database query languages are based on set theory 
and crisp logic. Many applications, however, need similarity or retrieval- 
like queries producing results with truth values from the interval [0, 1]. 
Such truth values can be regarded as continuous membership values of 
tuples expressing how strongly a query is matched. Formulating queries 
by applying existing similarity relational algebras means to express the 
user’s need in a procedural manner. In order to support a declarative 
way of formulating queries, we generalize the classical relational domain 
calculus by incorporating fuzzy operations and user weights. Besides 
defining syntax and semantics we show how to map any calculus ex- 
pression onto a corresponding similarity algebra expression. In this way, 
we present a theoretical foundation for a declarative query language com- 
bining retrieval functionality and traditional relational databases. 



1 Introduction 

Queries in multimedia databases often need a combination of information re- 
trieval mechanisms and traditional database query language constructs. Re- 
trieval functionality is required if a query contains a similarity predicate, e.g. 
the query: » Retrieve all images that are similar in form and color to the given 
im Iqq In this example we have two conjunctively combined similarity predicates. 

Traditional boolean operators, however, are not able to deal with impre- 
cise membership data. Therefore, fuzzy-logic operations as a generalization of 
boolean logic are proposed [1], Introducing user weights gives users more con- 
trol to map the information need onto an adequate query. For example, we may 
formulate: » Retrieve all images that are similar in form and color to the given 
image. And color is twice as much important as form.< t: 

In order to formulate queries independently from internal query processing 
we propose to formulate them in a declarative manner. Therefore, we enhance 
the classical relational domain calculus by the notion of vagueness. For query 
processing, calculus expressions need to be mapped to an algebra. Therefore, our 
similarity algebra is the target language for the mapping but not the language 
which the user poses queries against. Since querying directly in relation calculus 
is too difficult for many users we are planning to design a graphical language 
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in a QBE-like fashion from which a mapping to our similarity calculus can be 
easily performed. For this reason we need a sound theoretical foundation for 
declarative query languages which is presented here. 

Our calculus language defines core functionalities. It extends the classical 
relational calculus by introducing imprecise truth values in form of similarity 
predicates, fuzzy operators, fuzzy quantifiers, and user weights. The language 
is defined on the relational model, that is, imprecise data result from applying 
vague predicates during the query processing but not from the database directly. 
Since we do not specify the exact fuzzy-operations and weighting formulas our 
approach serves as a formal framework which can be adapted and extended to 
match the needs for different scenarios. 

The contributions of our work can be summarized as follows: 

1. We formally define a declarative query language, the similarity relational 
calculus, which combines the handling of imprecise truth values together 
with the traditional relational domain calculus. 

2. The language provides operations to weight similarity predicates. Further- 
more, we introduce fuzzified quantifiers. 

3. We show how to map the similarity relational calculus language to a similar- 
ity algebra, because an algebra is better eligible for efficient query processing. 
For the mapping we distinguish between domain dependent and domain in- 
dependent queries. 

2 Related Work 

The relational data model and its languages, the relational algebra and the rela- 
tional calculus, were developed by Codd and published in [2, 3, 4, 5]. He proved the 
equivalence between algebra and calculus by specifying a reduction algorithm. 
A good overview of the theory of relational databases is given in [6,7,8]. 

An important aspect of the reduction algorithm is to restrict calculus queries 
so that they produce finite and domain independent results only. Such queries 
are called safe queries. A discussion concerning the safety aspect regarding our 
similarity calculus and algebra is given in [9]. 

In our approach we enhance the relational domain calculus by vague predi- 
cates. Coping with vagueness requires appropriate logical operators. Therefore, 
we apply techniques from fuzzy- logic [1]. Furthermore, we give users freedom 
to specify preferences for operands of operators. Weights on operands express 
their weighted contribution to the operation result. Typically, an approach as 
described by Fagin and Wimmers in [10] can be applied. However, we leave the 
weighting mechanism open. That is, our approach is not restricted to Fagin’s 
formula. In [11] we discussed the application of Fagin’s formula to complex sim- 
ilarity queries w.r.t. associativity and distributivity. 

Another approach to specify preferences is introduced in [12]. Instead of 
weighting preferences in terms of »A is better than are map onto strict 
partial orders. Beyond it, a weighting of search terms can be indirectly expressed 
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using certain predicates which requires the user to specify appropriate combing 
functions. 

In the early nineties, much research was done on developing fuzzy-databases 
with corresponding fuzzy query languages. [13] introduces a fuzzy ER-model to- 
gether with a calculus language using Fuzzy-logic. Another example is [14] which 
investigates how to implement a Fuzzy-SQL language on top of the commercial 
database system ORACLE. Most of the work in the area of fuzzy databases, 
however, do not support user weights. Furthermore, they rely on the two im- 
precise values necessity and possibility which do not conform to our intended 
scenario of multimedia applications. 

[15] sketches the design of a fuzzy calculus, fuzzy algebra and a mapping 
between them. However, this work suffers from an incomplete formalization. 

Most extensions of the relational model by imprecision were performed on 
the relational algebra, see e.g. [16,17]. A very good work is [17] which introduced 
the same w similarity algebra. Our proposal defines a small set of algebra opera- 
tions which is powerful enough to be the target language for mapping from the 
similarity calculus. One problem, not considered in [17], is the observation that 
a weighted conjunction where the score of one operand is zero can produce a 
nonzero score. Furthermore, in contrast to [17] we leave the semantics of un- 
weighted unci weighted operators unspecified and require just the satisfaction of 
some logical rules. 

An interesting approach to combine the information retrieval world with the 
database world is the probability relational algebra proposed in [18]. However, 
due to the stochastic approach they require stochastically independent events 
(tuples). Therefore, the authors propose intensional semantics instead of exten- 
sional semantics which is typically used in the database area. A problem with 
this approach occurs when an imprecise predicate violates the demand for inde- 
pendent events (tuples). 



3 Weighting Fuzzy Operations 

In general a calculus query consists of a condition X, that is composed of n 
predicates Xi with i = 1 . . . n. A complex query condition is a compound of 
predicates using the operators A and V. Beside these connectives the negation 
operator is likewise important 1 . Thus, a query condition can be defined as X := 
x | (X [A | V] X) \^X \ (X). 

Similarity or retrieval-like predicates produce values from the interval [0, 1] 
called scores. The overall tuple score p based on an aggregation (conjunction, 
disjunction) of the specific truth values p l: is calculated using a scoring function 
S : [0,1] x [0,1] —> [0,1]. Typically, t-norms resp. t-conorms from Fuzzy-Logic 
[1] are employed as scoring- functions for conjunctions resp. disjunctions. These 
functions must hold the following conditions: 



1 In this section quantifiers are neglected. 
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Definition 3.1. Function T : [0, 1] x [0, 1] —> [0, 1] is a t-norrn if it satisfies the 
criteria: 

(i) T(/zi, /x 2 ) = T(h 2 , Hi) (commutativity) 

(ii) T( l M U T(fi 2 , fi3 )) = T(T( f i 1 ,n 2 ),fi 3 ) (associativity) 

(Hi) Hi < A H 3 < Hi => T(h 1 j M 2 ) < T(h 3 , Hi) (monotonicity) 

(iv) T(h i,1)=/zi (border condition). 



Definition 3.2. Function T : [0, 1] x [0, 1] — »• [0, 1] is a t-conorm if it satisfies 
the criteria: 

(i)-(iii) same as in the definition of t-norms 

(iv) T(h i,0) = hi (border condition). 



An aspect to enhance the flexibility to express preferences is to give users 
the possibility to assign weights to arguments in a compound query [17,10,19]. 
In our approach we support a binary weighting of search terms by incorporating 
a weight 9 £ [0,1] into the classical operators A and V. We distinguish between 
left-oriented (Ag,\/ g) and right-oriented (Ag,Vg) operators. The arrow marks 
the side on which the weight is stronger. Thus, A g denotes that the right operand 
is stronger weighted than the left one and A g denotes that the left operand is 
stronger weighted than right one, respectively. We require Hi A# H2 = Hi if 
9 = 1 and hi Ae H2 = Hi A Hz if 0 = 0. The same must be hold by Ag, Vg, and 
Vj. 



For the evaluation of weighted conjunctions and disjunctions it is necessary 
to incorporate the weight 9 into underlying scoring functions. Therefore, in our 
approach the signature of a weighted scoring function, for example for Ag, is: 
5® : [0,1] x [0,1] x [0,1] —> [0,1], where the first argument is given by the 

A e 

weight. 

There exist several requirements for a weighted scoring function [10,19,20]. 
We require a weighted scoring function to be a generalization of the correspond- 
ing, unweighted scoring function. Furthermore, the weighted function should be 
continuous in all its arguments and in case of equal weights or equal input scores 
it should reduce to the unweighted scoring function. 

Fagin and Wimmers proposed a weighting formula which allows to incorpo- 
rate weights into any scoring function [10]. The weighting formula requires the 
weights to be given for each operand. Thus, a mapping of the 9 value from Ag 
to 9i , 0 2 for Fagin’s formula is performed by applying 9i = and 0 2 = -4^ . 

The same holds for Vg. For the left-arrowed cases the formulas for the weights 
9 1 and 9 2 need to be swapped. Fagin’s approach is applicable for n-ary scoring 
functions. Under the assumption of 9i = 1 and 0\ > ... > 9 n the weighting 
formula is: 



(Hi > • • • ,Hn,9l, 



) 9 n ) — (9 1 — 9 2 )S(hi) + 2 * (0 2 — 9fi)S(Hh H 2 ) + 
... + n* 9 n S{ni, ■ ■ ■ , Hn) 
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where S'® denotes the weighted scoring function based on the unweighted func- 
tion S , the weights 0j, and the scores p i with i = 1, . . . ,n. There exist further 
weighted scoring functions employed in various retrieval systems, see e. g. in [21, 
22]. Nevertheless, we recommend to use Fagin’s weighting formula to obtain 
weighted scoring functions since these meet most of our requirements. 

One problem occurs if Fagin’s formula is applied to a scoring function without 
idempotence. In case of equal input scores but different weights the formula does 
not reduce to the unweighted case. Assume, for example, the binary t-norm is 
the algebraic product p i * p , 2 and /j-| = P 2 holds then Fagin’s weighting produces 

(01 — 62 ) * pi + 2 * 02 * AT * AT = (1 — 202) * pi + 2 * 02 * p\ * p\ yf p\ * p \ . 
We suggest a small modification of Fagin’s formula: 

S® {Hi, P 2, 01, O 2 ) = (01 — 02)S'(^i, /li) + 2 * 02>S'(/Xl, fJ- 2 ) 
to solve this problem. 

4 Similarity Calculus 

In this section we formally define the syntax and semantics of our similarity 
calculus language. The design is based 011 the following principles: 

1. The language is a generalization of the relational domain calculus. Thus, 
every traditional relational domain query can be expressed and evaluated in 
our language producing the same query result. 

2. Fuzzy truth values are generated primarily by applying similarity predicates. 

3. The result of a query is a relation which contains all tuples with a non-zero 
truth value. 

4. Our language definitions provide an open framework for different scenarios 
with corresponding similarity predicates. That is, we exactly define the se- 
mantics of many language constructs, but leave the semantics of similarity 
predicates open. In this way, our language is open to cope, for example, with 
histogram intersections as a special similarity predicate. This predicate is 
required for measuring image similarity upon color distribution. 

5. User weights on operators are expressed by weight variables. Their values 
are fixed outside the query by an interpretation function. 

6. We introduce fuzzyfied quantifiers which soften the strict semantics of tra- 
ditional quantifiers. 



4.1 Syntax 

We start by defining the basic syntax elements of the language. 

Definition 4.1. We denote the similarity domain relation calculus ST>C as a 
tuple (U, X, A, C, D , Dom,R,0), where U = {Ai, A 2 , . . .} is the universe of 
attributes; X = {Xi, X 2 , . . . } is a set of variables; A = { , A 2 , . . . } is a set 




Similarity Relational Calculus and Its Reduction to a Similarity Algebra 257 



of binary, typed 2 operation names ( we distinguish continuous operations, e. g. 
similarity operations, from discrete operations, e. g. traditional comparison op- 
erators like C is a set of constant names; D is a set of domain 

names; Dom is a mapping from [/UlU/lUC to D; R is a finite set of relation 
schemata R\, R2 , . . . , R p , all are subsets 3 of U; and 0 = {9\, 62 ,...} is a set of 
weight variables. 

We build a calculus query expression E over ST>C from atoms and formulas. 

Definition 4.2. Let an atom be 



1. R{Y\, Y2 , . . . ,Y m ), where R € R is a relation schema Ai,A 2,... ,A m and 
for each Yi £ X U C the domain is sound: DomiYi) = Dom(Ai). 

2. Y1SY2, where 6 £ A is an operation name (infix notation) and Y\, Y2 £ XU C 
are consistently typed (DomfYi) = Dom(Y2) = Dom(S)). 



Please note, that both operands of a binary operation can be constants at the 
same time. In this case, interpreting such an atom results in a truth value inde- 
pendent from any variable. 

Definition 4.3. An 52?C-formula F(Xi, X2, ■ ■ ■ ,X n ) 4 , where Xi £ X,i = 
1, . . . ,n are the involved free variables, is recursively defined: 



1. Any atom is a formula F(X i,X2 , . . . ,X n ) where Xi are the involved vari- 
ables. 

2. (F a (X ai ,... ,X ak )cj)F b (X bl ,... ,X bl )) with f> £ {A, Ag, Ag, V, Mg, V e } is a 
formula 

F(X 1 ,... ,X n ) if F a (X ai , . . . ,X ak ) as well as F b (X bl ,... ,X bl ) are for- 
mulas. Involved variables are united: {X 1; ... ,X n } = {X ai ,... ,X ak } U 
{X bl ,... ,X bl }. 



In case of using weighted operators (Ag, Ag,V Q,Ve), 9 £ 0 is a weight 
variable and A g resp. V g denotes that F b is stronger weighted than F a and 
A g resp. V g denotes that F a is stronger weighted than F b , respectively. 

3. (->F(X 1 , . . . , X n )) is a formula if F(X \, . . . , X n ) is a formula. 

4- (3XF(X- l, . . . , X n )) is a formula if F(X 1 , . . . , X n ) is a formida and 
X£{X U ... ,X n }. 

5. (\/XF(X 1 , . . . , X n )) is a formula if F(X \, . . . , X n ) is a formula and 
X £ {.Y 1; ... ,X n }. 

6. . . . , X n )) is a formida if F(Xi , . . . , X n ) is a formula, k > 1 is 
a natural number, and X £ {X \, . . . , X n }. 

1. (\/kXF(X 1 , . . . , X n )) is a formida if F(X 1 , . . . , X n ) is a formula, k > 1 is 
a natural number, and X £ {Xi, . . . ,X n }. 



2 Both operands are assumed to be from the same domain. 

3 For convenience, we assume a fixed attribute order. 

4 As short form we often write F instead of F(Xi, X2 , . . . , X n ). 
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In our language we distinguish between left-oriented (A g,Vg) and right-oriented 
(Ag, V g) weighted operators. This is necessary because a weighted conjunction 
can produce a membership value of non-zero although one operand equals zero. 
The reason is the requirement for a weighting formula, that if a weight is com- 
pletely on one side, the other operand should be completely ignored. In order 
to reason over weighted operators we introduce, therefore, asymmetric weighted 
operators. 

The normal exists- and forall-quantifier are sometimes too strict because their 
results often depend on one single value. Therefore, we introduce the fuzzyfied 
quantifiers 3 t~X and V^X, also called few and most. In our approach, these quan- 
tifiers need at least k different significant X-values to behave like the normal 
3 and V, respectively. Otherwise, the quantifiers provide only a corresponding 
fraction of the normal quantifier value. The formal definition is given in Defini- 
tion 4.8. 

Definition 4.4. A query expression E over ST>C has the form 
{X ll X 2 ,... ,X n \ F(X l ,X 2 ,... ,X n )j 

where F(X i,X 2y ... ,X n ) is an SDC-formula and Xi,... ,X n are the involved 
free variables. 

The query asks for the values for all variables where the condition F holds. 

In order to guarantee finite and domain independent results we require safe 
queries. To verify safety syntactically we adopt and extend the approach given 
in [23]. Due to space restrictions, we do not discuss this aspect here and refer to 
[9], 

4.2 Semantics 

After defining the syntax of our SVC language we specify the semantics of SVC - 
expressions. Therefore, we first give the interpretation over SVC in Definition 4.5 
followed by definitions for variable mapping and evaluating atoms. We specify 
the semantics of an <S2?C-formula in Definition 4.8 and, finally, we define the 
semantics of an SVC- query expression. 

Definition 4.5. An interpretation over SVC(U, X, A, C, D, Dom, R, 0) is a 
triple ( d,db,I ), where 

1. d is a finite set of domains {d\,d 2 , . . . , d q }, each domain is a non-empty, 
not necessarily finite set of values and db is a finite set of finite relations 
{r*i , r* 2 , - - - ,r p } over these domains. 

2. I is an interpretation function which 

a) maps any domain name D £ D to a domain 1(D) £ d, 

b) maps any relation schema R(Ai, A 2 , . . . ,A n ) € R to a relation I(R ) £ 
db where I(R ) C I(Dom(A\)) x I(Dom(A 2 )) x . . . x I(Dom(A n )), 

c) maps any operation name 6 £ A to a binary function: 

1(5) : I(Dom(6)) x I(Dom(5)) —> [0,1]. 5 By convention, there exists an 

5 Discrete operation values are restricted to {0, 1} where 0 denotes false and 1 denotes 

true. 
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operation ,=‘ with the equality-semantics which can be applied to every 
datatype. 

d) maps any constant name C £ C to a value 1(C) £ I(Dom(C)), 

e) maps any weight variable 6 £ 0 to a value 1(0) £ [0, 1], 

f) maps the conjunction symbol ‘A' to a fuzzy t-norm 1(A) : [0, 1] x [0, 1] — > 
[0, 1]. It must hold: Mp £ [0, 1] : /(A)(0, p) = 1(A) (p, 0) = 0. Since ‘A ’ is 
associative and commutative we generalize it to an n-ary operator. 

g) maps the weighted conjunction symbol ‘A g’ to a weighted fuzzy t-norm 

I(Ag) : [0, 1] x [0, 1] x [0, 1] — > [0, 1]. The first parameter is reserved for 
the weight 1(0). Furthermore, the following condition must hold: 

Mv,p £ [0,l],/(Ae)(v,/i,0) = 0. The value 0 for 0 produces the un- 
weighted conjunction whereas the value 1 ignores the less weighted 
operand: 

Mpi,P2 € [0, 1] : I(Ag)(0, p\, p 2 ) = I( h)(pi, P 2 ) 

V/Lii,/i 2 £ [0, 1] : /(Ag)(l, pi, p/) = p2- 

Furthermore, equal input scores are reduced to the unweighted case: 

MO, p £ [0, 1] : I(Ae)(0, p, p) = I(A)(p, p) 

Mapping the weighted conjunction symbol ‘A g’ is analogously. 

h) maps the disjunction symbol ‘M’ to a fuzzy t-conorm J(V) : [0, 1] x [0, 1] — > 
[0, 1]. It must hold: Mp £ [0,1] : J(V)(1, p) = I(M)(p, 1) = 1. Since ‘V ’ is 
associative and commutative we generalize it to an n-ary operator. 

i) maps the weighted disjunction symbol ‘Mg' to a weighted fuzzy t-conorm 
I (Mg) : [0, 1] x [0, 1] x [0, 1] — > [0, 1]. The first parameter is reserved for 
the weight 1(0). Furthermore, the following condition must hold: Mv,p £ 
[0, 1], I(Vg)(v, p, 1) = 1. The value 0 for 0 produces the unweighted dis- 
junction whereas the value 1 ignores the less weighted operand: 

Mpi,P 2 £ [0, 1] : /(Ve)(0, pi,P 2 ) = I(M)(pi, P 2 ) 

Mpi, P 2 £ [0,1] : /(Vg)(l, pi, P 2 ) = P 2 • 

Furthermore, equal input scores are reduced to the unweighted case: 
v 0,P £ [0, 1] : I(Mg)(0,p,p) = I(M)(p,p). ^ 

Mapping the weighted disjunction symbol ‘Mg’ is analogously. 

j) maps the negation symbol to a fuzzy negation: 

I(->) : [0,1] — > [0,1] with Tt-i p = p. Furthermore, we require the fuzzy 
negation to conform weighted and unweighted disjunction/ conjunction 
w.r.t. DeMorgan’s laws. 

Please notice, the semantics of the operations 6, A, A g, A g, V, Mg, Mg is not prede- 
fined and can therefore be arbitrarily defined as long as the specified restrictions 
are met. In this way, the language is defined as a framework which works with 
many domain specific similarity operations and fuzzy operations. 
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The common semantics of the fuzzy-conjunction is the min-function, and the 
max-function for the fuzzy-disj unction. The dominant weighting formula is Fa- 
gin’s formula described in [10]. In the next definition we assign a value to every 
variable. 



Definition 4.6. Let V be a variable mapping from X to (J d where 

dG d 

MX G X.V(X) G I{Dom{X )) holds. 

Now we can assign a value to every atom. 

Definition 4.7. The evaluation V*(F) of an SVC atom F with respect to a 
variable mapping V and an interpretation function I is given by: 

1. If F = R(Y 1 ,Y 2 ,... ,Y m ) then V*(F) = 1 if (v i,v 2 ,... ,v m ) G I(R) where 

r 1 , _ f V(^i) tfYi is a variable 

i G { , . . . ,mf.v t ^ I(Yi) ifYj is a constant name, 

otherwise V*(F) = 0. 

2. If F = Yl 6Y 2 then V*(F) = I(S)(v i,v 2 ) where u* is defined as above. 



Definition 4.8. The semantics of an SVC-formula F(X i ,X 2: ... , X n ) denoted 
Iy(F) basing on the evaluation of atoms V*(F) and an interpretation function 
I is recursively defined: 

1. If F is an atom then Iy(F ) = V*(F). 

2. If F is a conjunction (Fi A F 2 ) then Iy(F) = I(A)(Iy(Fi), Iy(F 2 )). 

3. If F is a disjunction ( Fi V F 2 ) then Iy(F ) = /(V)(/y(i r 1 ), Iy(F 2 )). 

4- If F is a weighted conjunction or disjunction (Fi<j>F 2 ) with <f> G { A ^ , Ag, Mg 
, V fl } then I* V {F) = J(0)(/(0), I* v (F,), I* v (F 2 )). 

5. If F is a negation ( -l i 7 i) then Iy(F) = I(-^)(Iy(Fi)). 

6. If F is an existentially bound formula (3XF\(Xi, . . . ,X n )) then Iv(F) = 
I(M)(Iy x (Fi)) where Vx = {Vx is a variable mapping where Xi ^ X im- 
plies Vx(Xi ) = V(Xi ) for all Xi G X\. The expression I(M)(Iy x (Fi)) de- 
notes a disjunction over all variable mappings from Vx applied to F\ . The 
set Vx can be infinite. Due to distributivity and associativity, the disjunc- 
tion can be applied to an arbitrary number of truth values. Applied to one 
value it returns exactly that value. 

1. The M-case is analogous to the 3-case except the disjunction is replaced by 
the conjunction. 

8. If F is a k- existentially bound formula (3kXFi(Xi, . . , ,X n )) then 



E I*v x {F i) 



Iy(F) = I(V)(Iy x (Fi)) * min 



v x evx 



k*i(v)(r Vx (F 1 )y 



9. If F is a k-universally bound formula (VfeXF 1 (X 1 , . . . ,X n )) then 



iv(F) = . . . ,*„)))))■ 
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Now we are able to define the semantics of a query expression. We require a 
non-zero truth value for every tuple of the result. Thus, the result of a query is 
a relation. 

Definition 4.9. The semantics of a query expression 
E={X i,X 2 ,... ,X n \F(X 1 ,X 2 ,... ,X n )} denoted I*(E) is 
{(V(X 1 ),V(X 2 ),...,V(X n ))\Il(F(X 1 ,X 2 ,...,X n ))>0}. 



5 Similarity Algebra 

In the following we introduce our similarity algebra 5.4, which is the target 
language for mapping from SVC expressions. We do not consider it as a language 
where user formulates queries against. 5.4 enhances traditional relational algebra 
by introducing vagueness and weighting. The similarity algebra 5.4 is defined as 
follows: 

Definition 5.1. The tuple (U,A,C,D, Dom, R, 0) denotes the similarity al- 
gebra 5.4, where U, A, C, D, Dom, R, 0 have the same meaning as for the 
SVC language (see Definition 4-1). 

Let att(E) be all attributes occurring in an algebra expression E. Every 
attribute is denoted by the ordinal number ffi of its occurrence in E. We now 
define a similarity algebra expression as given in the following definition. 

Definition 5.2. A similarity algebra expression E over a similarity algebra SA 
is the smallest class of expressions which include the following: 

1. 0, that is a special relation needed for the mapping. 

2. 1 , that is a special relation needed for the mapping. 

3. Re R 

4- Domo with D e D 

5. Tr# Plt # P2t ... t # Pn (E), where E is a similarity algebra expression and 
{#pi > # P2 > ■ • • > #p„ } C att(E) . 

6. n # p (E), where E is a similarity algebra expression, k > 1 a 

natural number, and {# Pl , # P2 , • ■ • , # Pn } C att(E). This operation is the 
counterpart, for the k-exists-quantifier of the similarity calculus. 

7. a yi s yj (E), where 6 £ A is a binary operation and Domfyi) = Dom(yj) = 
Dom(5), 

{yi, yj} C att(E)U C, and E is a similarity algebra expression. Both operands 
can be constants at the same time. We sometimes specify a list of conjunc- 
tively combined simple conditions as a short form of a list of corresponding 
selections. 

8. unions: {E\ \JE 2 ), (Ei Lig E 2 ), ( E\ U g E 2 ) where E\ and E 2 union com- 
patible 5 similarity algebra expressions. 



Union compatibility means that the two expressions E\ and E 2 must share the same 
number of attributes and the same domain for every corresponding attribute pair. 
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9. intersections: (E\ fl E 2 ), (E 1 fig E 2 ), (E\ fig E 2 ) where E\ and E 2 are 
union compatible similarity algebra expressions. 

10. (Ei \E 2 ), where Ei and E 2 are union compatible similarity algebra expres- 
sions. 

11. (Ei x E 2 ), where E 1 and E 2 are similarity algebra expressions. Since ‘x ’ is 
associative and commutative we generalize it to an n-ary cartesian product. 

12. (Ei ex# ... ,#i m= # jr n E 2 ) where Ei and E 2 are similarity algebra ex- 
pressions and {#,-,< . . . C at.t.(Ei),{# jl , . ■■ ,#j m } Q att(E 2 ). 

The interpretation of a similarity algebra <S54(U, A, C, D, Dom, R, 0) except for 
the operations is the same as for SVC. Therefore, we refer to Definition 4.5. 

In the following, we define the semantics of an algebra expression. Notice, that 
we equip relations with an artificial membership attribute at first attribute 
position. Our algebra can deal with infinite sets. Since the algebra is intended to 
be a target language we assume any algebra expression to be created by mapping 
an iSDC-query. As we will see later, any safe iSDC-query is mapped to an algebra 
expression basing on finite sets. 

Definition 5.3. The semantics 0 } an algebra expression E is inductively defined 
by the interpretation function I* : 

1. 0-relation E = 0: I*(0) = {(1,0)} is a relation with exactly one tuple with 
membership value 1 and an arbitrary attribute value preferable the value 0. 

2. 1-relation E = 1: I*(l ) = {(1)} is a relation with exactly one tuple with 
membership value 1 and no attribute value. 

3. relation name E = R G R; I*(R) = {(1, v\, V 2 , ■ ■ ■ ,v n )\(vi,V 2 , ■ ■ ■ ,v n ) £ 
I(R)} where Ai,A 2 ,... ,A n are the attributes of R. All tuples are equipped 
with a membership value 1 since they are considered as true facts. 

4- domain E = Domo: I*(Domo) = {(l,'f)|f € 1(D)}. All domain values are 
equipped with a membership value 1 since they are considered as true facts. 
Please notice, that the interpretation of a domain can be an infinite set. 

5. projection E = 7 r # P1 ,# P2 ,... ,# Pn (Ei): Let vq 1 ,... ,vo, be all membership 
values for a fixed value list v Pl ,... ,v Pn where (voi , v\ , . . . ,v m ) £ I*(E\) 
holds and the corresponding values are identical: Pi = j => v Pi = 
Vj fori = 1 ,...,n. I*(^# P1 ,# P2 ,...,# Pn (Ei)) = {(u 0 ,v Pl ,v P2 , . . . ,v Pn )\ 
(v 0i ,vi, . . . ,v m ) £ I* (Ex)} where 

/ /(V)(«o 1} ... ,v 0l ) ifl> 1 
Vox if l = I' 



Please notice, that duplicate elimination means an OR-aggregation of grouped 
membership values. For convenience, we apply an n-ary OR-operator since 
the binary OR-operator as a t-conorm holds commutativity and associativity. 

6. projection E = 7r^ ^ (E\): Let Vo 1 , . . . ,Vo, be all membership val- 

ues for a fixed value list v Pl , . . . , v Pn where (no* , v\, . . . , v m ) £ I*(E\) holds, 
the corresponding values are identical pi = j => v Pi = Vj for i = 1, . . . ,n, 
and 



u 0 = I(V)(v 0l , . 



,v 0l ) * min 



VOi 



V 0l 



k*I(V)(v 0l ,... ,v 0l )’ 
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I ( 7r #Pl,#P2>'" >#Pn {(t'-Oj'W; 



Pi ) v p 2 ) • • • ) u p, 



J(vo 4 ,«i, • • • ,v m )er(Ei)} 



7. selection E = a Vi s V:j {Ei): 

I* ( a yiSyj(El)) = 

{(m 0 ,ui, . . . ,f n )|(fo,fi, • ■ • ,v„) G I*(Ei) Auo = I(A)(vo,I(S)(yi,yj))Au 0 > 
0} where 



Vi = 



Vi if Vi is an attribute 
I(Vi) if yi is a constant name. 



Vo = 



/ v j Uj * s an attribute 



I(yj) if yj is a constant name. 



A selection without condition means no restriction: I*(a(E i)) = I*(Ei). 

8. unions: 

— union E = ( Ei U E 2 ) : I*((Ei U E 2 )) = 

{(I(V)(v 0 ,w 0 ),vi, . . . ,u fc )|(fo,fi, ■■■ ,v k ) € I* (Ei) A (w 0 ,v i , ... ,v k ) € 
I*(E 2 )} U {(/(V)(u o ,0),Ui, . . . ,v k )\(v 0 ,vi, ... ,v k ) € I* (Ei) A 
Vu) 0 .(w 0 ,vi,. • -,v k )i /*(£ , 2 )}U{(J(V)(0,u>o),ui, . . . ,v k )\(w 0 ,vi, . . . ,v k ) 
G I*(E 2 ) A Vvo-(vo, vi, . . .jV k ) I*(Ei)}. 

— weighted union E = (E\ U g E 2 ) : I*((Ei Ug E 2 )) = 

{(« 0 >td, ■ • ■ ,u fc )|(u 0 ,ui, ... ,v k ) G I*(Ei) A (w 0 ,Ui, ... ,v k ) G I*(E 2 ) a 
u 0 > 0}U{(u O ) Vi, . . . ,u fc )|(i>o,Ui, . . . , v k ) G I*(Ei)A\/w 0 .(w 0 ,vi, ... ,v k ) 
$ I*(E 2 ) A« o >0}U {(u 0 ,Ui, • • • ,v k )\(wo,V!, . . . , v k ) G I*(E 2 ) A 
Vu 0 .(u 0 , v\, ... ,v k ) £ I* (Ei) A u 0 > 0} where 

{ I(\/e)(I(d),v 0 ,w 0 ) case 1 
I(V e)(I(9),v o,0) case 2 
I(\Zg)(I(9),0,w o ) case 3 

Please notice, that due to the weighted disjunction the weighted union 
is not associative. The semantics of E = (E\ Ue E 2 ) is analogously 
defined. 

9. intersections: 

— intersection E = (Ei D E 2 ) : I*((Ei fl E 2 )) = 

{(u 0 ,Vi , . . . ,v fc )|(vo,Ui , ... ,v k ) e I*(E i) A (w 0 ,vi, ... ,v k ) € I*(E 2 ) A 
u o = I(A)(v 0 ,w 0 ) > 0}. 

— weighted intersection E = (Ei fig E 2 ) : I*((Ei fig E 2 )) = 

{(uo,v i, . . . ,Vfc)|(uo,Ui , ... ,v k ) € I*(E 1 ) A (w 0 ,ui, ... ,v k ) G I*(E 2 ) A 
u 0 > 0}U {(u 0 ,ui, . . . ,Vk)|(w 0 ,ui, . . . ,v k ) G I*(E 2 ) A 
Vvq.(vo, Vi, . ... ,v k ) £ I* (Ei) A u 0 > 0} where 



u 0 = 



I(Ag)(I(9),v 0 ,w 0 ) case 1 
I(Ae)(I(0),0,wo) case 2 



Please notice, that due to the weighted conjunction the weighted inter- 
section is not associative. Furthermore notice, that the definition of the 
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weighted intersection does not correspond to a set intersection. The rea- 
son is the observation , that a weighted conjunction with one zero-valued 
operand can produce a non-zero result. The semantics of E = ( Ei P\g E 2 ) 
is analogously defined. 

10. difference E = (Ex \ E 2 ) : /*((£i \ E 2 )) = 

{(m 0 ,Mi,... • • • ,v k ) G I* {Ex) A \/wq.(wo, Vi, . . . ,v k ) i I*(E 2 ) A 

M 0 > 0}U {(uo,fl, • • • , Vfe) |(v 0 , ^ 1 , ... ,v k ) € I* (Ei) A (te 0 , Ml, ... ,v k ) 

G I*(E 2 ) A Uq > 0} where 



i, = f 7 ( A )( u o,/(-')(0)) easel 
0 \ I(A)(v 0 , /(-0(wo)) case 2 

11. cartesian product E = E a x Eg: 

I*(E a x E b ) = {(m 0 ,mi, ... ,Vk,wi,... ,wi\(v 0 ,vi, ... ,v k ) € I*(E a ) A 
(w 0 ,wi, . . . ,wi ) G I*(E b ) A u 0 = I(A)(v 0 ,w 0 )} 

12. join E = E a E b . I (E a l> :: l# 01 =#6 1 ,# an =#i> n E b ) = 

{(w 0 ,Mi, ••• ,v k ,wi,... ,wi\(v 0 ,vi, . . . ,v k ) G I*(E a ) A (■ w 0 ,wi , ... ,wi ) 

G I*(E b ) A Vi G {1, . . . ,n}.v ai = w bi Au 0 = I(A)(v 0 ,w 0 )} 

A join with an empty condition produces the cartesian product. 

Please note, that every operation yields tuples with nonzero membership values. 

6 Reducing ST>C to SA 

In this section we show that the similarity algebra 5.4 is as expressive as the 
similarity domain calculus SVC. 

Theorem 6.1. Let SVC = (U, X, A, C, D, Dom, R,0) be a similarity rela- 
tional domain calculus and SA = (U, A, C, D, Dom , R, 0) be a similarity re- 
lational algebra. For any SVC formula F there is an SA expression E that their 
queries are equivalent for any corresponding semantics: 

{V(X 1 ),.., t V(X n )\I^(F(X 1 ,... ,X n )) >0} = {(«!,... .tvOKuo.Vi,... ,0 

G I*(E) A v 0 >0}. 

Proof. We prove Theorem 6.1 by constructively defining a mapping ip of an SVC 
formula F to a similarity algebra expression E = ip(F): 

1. case F = R(Y 1 ,Y 2 ,.. . ,Y m ) : ip(F) = n ,# Vn (a condc , condv (R)) where 

— cond c := # = C ^ , . . . , = C where Y^ , . . . , Yj, are all constant 

names C i i; ... , C %1 , 

cond v . — jf ji — ffki , - * * , ffj 0 — ffcka where 1 j 1 — , • * • , Yj o I ko are 

all pairs of equally named variables reduced by reflexivity, symmetry, 
and transitivity on the attribute positions, and 

— # Vl , . . . , ff Vn lists uniquely the attributes for all variables Y Vi in the 
order of the variables. 

2. case F = Yi6Y 2 : 
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— if Yi, Y 2 £ X A Yi ^ Y 2 then ip(F) = x Domo)', 

— if Y 1 ,Y 2 e X A Yi = Y 2 then <p(F) = 7r #1 (o# 1(5#2 (7r #li#2 (Fomr>))); 

— if Yi e X and Y 2 is a constant C € C then y>(F) = cr# 1 sc{F>omD)', 

— if Y 2 £ X and Yi is a constant C £ C then y>(F) = <Jc 5 #i(DorriD)', 

— if Yi and Y 2 are constants C\, C 2 £ C, respectively, then 

(^(F) = C7 C1 5C 2 (1); 

where D = Dom(S). 

3. case F = (F 0 (X a i, . . . , X ak ) A F b (X b i , . . . , Xu)) : 

<P(F) = 7r# Pl .... ,# Pn (<^(F a ) cxiconde <P(F 6 )), where 

cond c . — ^wi 1 • • • 5 ~H~vm — ~ff~‘Wm vd ide X aVi — X bwi for / — 

1 , . . . , m and 

— # pi , . . . , # Pn lists uniquely the corresponding attributes for all variables 
X a i , . . . , X a fc, Xbi, . . . , Xu in the order of the variables. 

4. weighted and-cases: 

case F = (F a (X a i,... , X afe ) As F b (X w ,... , X w )) : y>(F) = F a rig E b , 
where 



F a = 7r #iii ... >#im (<p(F a ) x Dom Dboi x ... x Dom Dbo *_ k )) 

E b = ,# jm (<p(F b ) x Dom Dapi x . . . x Dotud^^ )) 

and the following conditions hold: 

- {x al ,. . . , X ak ,X bl , ... , X b i} correspond bijectively to att(E a ) 
and att(E b ), respectively, 

- the attributes of E a and of E b occur in the order of the variables, 
z I {X a \ , . . . , X ak , X b i , . . . , X b i } j , and 

- D bo , = Dom(X boi ) and D ap _ = Dom(X api ). 

The case for the left-oriented conjunction Ag is defined analogously. 

5. or-cases (unweighted and weighted): These cases are defined analogously to 
the weighted and-cases. V is mapped to U, V g is mapped to Ue, and V g is 
mapped to Ug. 

6. case F = (^Fi(X 1 , . . . ,X m )) : <p(F) = ( Dom Dl x . . . x Dom Dm ) \ <p(Fi), 
where Di = Dom(Xi). If F\ has no variables (to = 0) then tp(F) = l\ip(Fi). 

7. case F = (3XF 1 (X 1 , . . . ,X t ^X,X l+1 ,.. . ,X m )) : 

<P(F) = 7 r# P1 ,..,#p m _ 1 (^(Fi(Xi,... ,Xi_ 1 ,X,X i+ 1,... ,X m ))), where 
# Pl , . . . , # Pm _i lists the corresponding attributes for all variables 
Xi, . . . , Xi_i, Xi_ |_i, . . . , X m in the order of the variables. 

8. cas eF=(3 k XF 1 (X 1 ,...,Xi- 1 ,X,Xi +1 ,... ,X m )) : 
¥ )(F)=4 pi) ... i#pm _ i (^(Fi(X 1 ,...,X l _ 1 ,X,X l+1 ,... ,X m ))), where 
#pi j • • ■ j # Pm _ i lists the corresponding attributes for all variables 
X\,. . . , Xi_ i, Xi + \, . . . , X m in the order of the variables. 

9. case F = (VXFi) : <p(F) = ^((-.(3X(-.Fi)))), 

10. case F = (y k XF{) : tp(F) = V? ((-(3 fc X(-F 1 )))). 
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Mapping an 52?C-formula to the similarity algebra can produce similarity al- 
gebra expressions containing the Dom-operation. In such cases, the expression is 
domain dependent. If, however, an 52?C-formula is evaluable (see [9]) and we 
map it to the similarity algebra then we can replace all occurring Dom-operations 
by similarity algebra expressions over database relations and obtain domain in- 
dependent algebra expressions. 

Theorem 6.2. Let SVC = (U, X, A, C, D, Dom., R,0) be a similarity rela- 
tional domain calculus and SA = (U, A, C, D, Dom , iZ, 0) be a similarity re- 
lational algebra. For any evaluable SVC formula F there is a domain indepen- 
dent 5.4 expression E that their queries are equivalent for any corresponding 
semantics: 

{V(X 1 ),.. r ,V(X n )\I^(F(X 1 ,... ,X n )) >0} = {(«!,... ,« n )|(«o, ,v n ) 

€ L*(E) A v 0 >0}. 

Proof. We prove Theorem 6.2 by modifying the mapping ip from the proof of 
theorem 6.1 to the mapping ip* of an evaluable SVC formula F to a similarity 
algebra expression <p*(F). 

Let E = [Xi,X 2 , . . . ,X n \F(Xi, X 2 , . . . ,X n )} be an evaluable SVC query 
and let 



rel(X) = ((Ei) n...fl (E m )) as defined in [9]. 

1. For every atom Y 1 SY 2 within F replace the corresponding algebra term 

a) a # 1 s# 2 (Dom. D xDom D ) in ip(F) by a # 1 s# 2 (rel(Yi)xrel(Y 2 )) iiYi,Y 2 G 

XAYi^y 2 , 

b) TT # 1 (a #lS# 2 (TT #lt# 2 (Dom D ))) in <p(F) by 7T #1 (f7 #l5#2 (7r #li#2 (reZ(Fi)))) 
HY 1 ,Y 2 eXAY 1 =Y 2 , 

c) a# 1 sc(Dom D ) in ip(F) by <t# 1 sy 2 (rel(Yi)) if Y\ G X,F 2 G C, and 

d) &C 8 #i (Dom D ) in ip(F) by a Yl sf 1 (rel(Y 2 )) if Y 1 G C ,T 2 G X. 

2. weighted conjunctions and disjunctions: For every weighted conjunction 

(F a (X a 1 , . . . , X ak ) A 9 F b (X b 1 , . . . , X b i)) in F replace the corresponding al- 
gebra term E a C\g E b in p(F) by E' a fig E' b where 

K = ( 7r #i i: v-.#im(^( ir <») x rel '( x b 0l ) x ... x rel'(X boz k ))) 

E' b = (tt # H ,...,# jm (v(F b ) x rel'(X api ) x ... x rel'(X apzi ))) 

and the following conditions hold: 

- {X a i, ■ ■ ■ , x ak , X bl , . . . , X u } correspond bijectively to att(E ' a ) 
and att(E' b ), respectively, 

— the attributes of E' a and of E' b occur in the same order, and 
2 — | { X a i , . . . , X ak , X b i , . . . ,Xfr/}j. 

,, . _ f rel(X)) UOifX is bound to 3 or V 
?e ' ' (rel(X) otherwise 

These cases for Ag, V, Wg, and Vg are defined analogously. 
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3. For every negation (- 1 .F 1 (Xi , . . . ,X m )) within F replace the corresponding 
algebra term 

(Dom Dl x . . .x Dom Dm )\v{Fi) in ip(F) by (reZ(Xi)x. . .xrel(X m ))\ip(F 1 ). 

Now we are able to formulate weighted similarity queries in declarative man- 
ner using ST>C and to reduce them to an equivalent algebra expression. Thus, 
the evaluation of those similarity queries can be processed based on the proposed 
SA. 



7 The Phantom Problem 

Assume the following evaluable calculus formula 3 X(Ri(X) V i? 2 (Ci)) is given 
and the relation I(Ri) is an empty relation. If additionally the second relation 
contains the constant value, then the formula is satisfied and returns true. 

Consider now the mapping to the similarity algebra. Following the mapping 
rule for the V-construct we have to unite (U) two algebra expressions. Since both 
expressions are not union compatible the right expression needs to be combined 
with the relation I(Ri) applying the cartesian product. However, in our case 
the relation I{R\) is empty and the cartesian product with an empty relation 
produces always an empty relation. Therefore, the complete algebra expression 
returns no tuple. This contradicts the result of the calculus expression and we 
call it the phantom problem. 

We solve this problem by never using an empty relation for becoming union 
compatible. This is achieved by applying the ’U 0’ operation to R\ 7 . 

The phantom problem becomes worse if we replace 3X by 3t~X\ 
(3kX(Ri(X) V i? 2 (Ci))). In this case, the formula is not domain independent 
anymore. The reason is that the result depends on the number of elements of the 
domain for X . Therefore, for evaluable formulas we do not allow any disjunction 
or weighted conjunction with a subformula independent from X below an 3^X 
or a VfcX construct. 



8 Example 

In order to demonstrate the potential of our approach we will demonstrate the 
transformation process on an example using a fabric seller database. Information 
of different fabrics is stored in Table Fabric. To each fabric there exist several 
images that are stored in Table Image. A small fragment of these tables is shown 
below. For similarity calculation between the given images and those in the 
database different similarity operators are available, e. g. to determine the 
similarity regarding the color feature. 

See rule 2 in the proof for Theorem 6.2. 



7 
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Fabric 



Fid 


Name 


Quality 


F001 

F002 

F003 


tartan_0815 

tartan_0816 

blue_stripes 


high 

low 

high 



Consider the following query: 



Image 



lid 


Fid 


Image 


1001 


F001 


t art an _0 8 1 5 _1 . j pg 


1002 


F001 


t art an _0 8 1 5 _2 . j pg 


1003 


F002 


t art an _0 8 1 6 _1 . j pg 


1004 


F003 


blue_stripes_l.jpg 



» Retrieve name and quality of those fabrics that have a high quality or 
that match the given query image (Ci mage ) in color and texture. Thereby, 
color is twice as important as texture and the quality criteria is three 
times less important than the similarity to the given images 

Formulating queries in an declarative way is much more comfortable to the user 
since the user only describes what he is interested in and not how it can be obtain 
from the database. Therefore, we can directly formulate this query as SVC- 
expression, which is illustrated in Fig. 1. Compared to the algebra expression in 
Fig. 2 the calculus expression is less complex and easier to understand. 



3X f 

3X 



lid 



3Xj 

A 



ve, 



Fabric(X FId , X N , X Q ) Image(X nd? X F[d , X[) X 0 — c, . 

*2 high 



Ae, 



X. c Ctnagc X L ~ T C Image 

Fig. 1. Query tree of the <SX>C-expression with the free variables Abv and Xq. 



Of course, querying directly in calculus is still too difficult for a non-expert 
user. For that reason we are currently designing a graphical QBE-like query 
language. From there, a mapping onto our calculus can be easily performed. 

Mapping our SVC query expression yields a complex 5.4 expression, which 
corresponds to the query tree shown in Figure 2. 

We use Fagin’s weighting formula [10] for the weighted combination of sim- 
ilarity values. As underlying scoring function we employ the functions min for 
conjunction and max for disjunction. In order to work appropriate with the 
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^# 2,#3 
^ #1 #2,#3 

^#j#2,#3,#4 

^#1,#2,#3,#4,#5 



^#3-#l,#5-#2 




Fabric Image Fabric Image Image Image Fabric 

Fig. 2. Query tree of the generated <S.4-expression. 



weighting formula we transform our operator weights to operand weights as 
shown in Section 3. 

Due to the specified user preferences, which state that the quality criteria 
is three times less important than the similarity criteria we obtain for "\^ g 1 the 
weight 9\ = 1/2. The corresponding operand weights are therefore 9 qua ut y = 1/4 
and 9^ = 3/4. Since color should be twice as important as texture, the weight 
02 for the operation 1 K g 2 is 1/3, which corresponds to the operand weights 
9^ c = 2/3 and 6L T = 1/3. The constant Chigh is evaluated to the string ’high’ 
and the constant Ci mag e corresponds to a query image. The calculated similarity 
values for the subformulas are summarized in Table Similarity Values. The query 
result is shown in Table Result. The final projection eliminates duplicates. Thus, 
the tuple with the highest score of the duplicates is taken. For fabric tartan _0815 
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the tuple with score 0.9 is chosen, whereas the duplicate tuple with score 0.69 is 
omitted. 



Similarity Values 



lid 






A e 2 


v 9l 


1001 


0.7 


0.2 


0.37 


0.69 


1002 


0.8 


0.9 


0.80 


0.90 


1003 


0.9 


0.4 


0.57 


0.57 


1004 


0.1 


0.8 


0.10 


0.55 



Result 



Name 


Quality 


Score 


tartan_0815 


high 


0.90 


tartan_0816 


low 


0.57 


blue_stripes 


high 


0.55 



9 Conclusion and Future Work 

Our approach defines a framework for transforming declarative similarity queries 
into an appropriate expression of an extended relational algebra. We enhanced 
traditional relational domain calculus by vagueness and the aspect of weighting. 
We left the specification of exact fuzzy-operations and weighted scoring func- 
tions unspecified, so that our approach can be adapted and flexible extended 
to meet the needs of various scenarios, e. g. image retrieval or other multimedia 
applications. 

So far, our proposed language comprises core functionality only. We provide 
adequate operators for dealing with imprecision and weights. Further, we pro- 
posed the parameterizable quantifiers 3^ and Vfc. In future, we will expand our 
language by new constructs. We plan to add a similarity join [24,16] as wells 
as top- and euf-operations [17]. In addition, we intend to support aggregations 
and other functions on result variables. Another aspect we want to consider is 
to weight the operators itself, that is, to modify their behavior by a parameter, 
e. g. to soften a conjunction in direction to the disjunction. Since formulating 
queries in a calculus is not very user friendly, we aim to design a graphical query 
language in a QBE-like fashion. Then, a mapping onto our similarity calculus 
can be easily performed. 

Reducing calculus expressions to algebra produces often very complex ex- 
pressions requiring subsequent algebraic optimization. We are planning to de- 
velop appropriate optimization strategies. Therefore, special optimization rules 
adapted to our mapping rules need to be developed. In addition to a subsequent 
optimization we are working on implicit optimization during the mapping. Fur- 
thermore, we aim to extend the relational database model in order to explicitly 
store and query imprecise data. 
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Abstract. Uncertainty management has been a challenging issue in AI 
and database research. Logic database programming with its declara- 
tive advantage and its top-down and bottom-up query processing tech- 
niques has been an attractive formalism for representing and manipulat- 
ing uncertain information, and numerous frameworks with uncertainty 
has been proposed. These proposals address fundamental issues of mod- 
eling, semantics, query processing and optimization, however, one im- 
portant issue which remains unaddressed is efficient implementation of 
such frameworks. In this paper, we illustrate that the standard semi- 
naive evaluation method does not have a counterpart in general in these 
frameworks. We then propose a desired semi-naive algorithm, which ex- 
tends the corresponding standard method, and establish its equivalence 
with the naive method with uncertainty. We implemented the algorithm 
and conducted numerous tests. Our experimental results indicate that 
the proposed technique is practical and supports efficient fixpoint com- 
putation with uncertainty. We believe that the method is also useful in 
a more general context of fixpoint computation with aggregations. 



1 Introduction 

Many real-life applications require an ability to represent and reason with un- 
certain information. Examples include diagnostic applications, data mining, sci- 
entific databases, and pattern and image databases. Answering complex queries 
against such applications requires that certainties associated with answers to 
simple queries be combined using some well-grounded principles and in a mean- 
ingful way. Uncertainty is a form of imperfection in information, which arises 
when the truth of the information is not established definitely. More precisely, 
uncertainty is the “degree” of truth of information pieces as estimated by an 
individual or a sensor device, which may be represented by associating with the 
information, a value coming from an appropriate domain. 
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Uncertainty management has been a challenging issue in AI and database sys- 
tems for a long time. Parsons [18] provides a survey of works on the more general 
subject of imperfect information in AI and databases. Numerous frameworks 
have been proposed for uncertainty by extending the standard logic database 
programming with its advantages of modularity and its powerful top-down and 
bottom-up query processing techniques. The proposed frameworks typically com- 
bine deduction with some formalism for uncertainty , and as in the standard case, 
they offer a declarative semantics of programs. For practical reasons, a desired 
such framework should admit efficient implementation and computation. On the 
operational side, this is supported by a sound and complete (or weakly complete, 
in some cases) proof procedure and a corresponding fixpoint semantics. 

There are a number of basis on which these frameworks may differ. On the 
basis of their underlying mathematical foundation of uncertainty, these frame- 
works may vary and include probability theory [7,8,16,17], fuzzy set theory [21, 
24], multi-valued logic [3, 4, 5, 6], possibilistic logic [2], evidence theory [15], and 
hybrid of numerical and non-numerical formalisms [7,9]. On the basis on which 
uncertainties are associated with the facts and rules in a program, we classi- 
fied [10] the approaches of these frameworks into two: annotation based (AB, 
for short) [23,5,15,16,17,6] and implication based (IB) [24,3,4,2,8,9]. Our earlier 
work [12], includes a comprehensive comparison of these approaches. For a sur- 
vey of research on uncertainty in logic programming and deductive databases, 
interested reader is referred to [11]. 

A typical rule r in an AB framework is an expression of the form: 

H : /(ft,...,/?*) <— -Eu :/?!,••• , B n : (3 n . 
where H and Bfs are atoms, /?$ is an annotation constant or variable, and / is a 
function to compute the certainty of the rule head by “combining” the certainties 
of the subgoal in the rule body. Alternate derivations of the same atom from the 
program are “combined”, using a user-defined disjunction function. 

By contrast, a rule r in an IB framework is an expression of the form: 

H Bi,- ■ ■ , B n . 

where H and Bfs are atoms, and cc is a certainty value. This rule asserts that: 
the certainty that the rule body implies the head is a. Aside from the syntactic 
difference between the AB and IB approaches, there are important differences 
in that in principle annotation functions in AB frameworks are unconstrained, 
or at least not discussed, whereas the computation in IB frameworks is typically 
constrained by some principles making sure the certainty computation makes 
intuitive sense. 

To introduce some basic concepts we need in our work, let us consider van 
Emden’s framework [24] , the first language proposed for logic programs with un- 
certainty. As in the standard case, a rule r in [24] is applicable when each subgoal 
Bi in the rule body is true (to some extent). When r is applied, it yields a ground 
instance A of the rule head H. Besides, we also need to consider the presence of 
certainty values and functions in rule applications. To explain this, suppose I is 
an interpretation, which basically assigns to each ground atom B , a truth value 
1(B) in the closed unit interval [0, 1]. Therefore, in the above derivation of A , the 
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certainty cr assigned to A according to [24] would be a x min{I{Bi), ■ ■ ■ , /(£?„)}. 
Here, the certainty of the rule body is determined by taking the minimum of 
the certainties associated with the instances of the subgoals in the rule body 
which contributed to this derivation of A. We may derive A multiple times from 
this rule and/or other rules in the program. We thus need to “combine” these 
alternate derivations of A. In [24], this is done by taking the maximum of all 
certainties derived for A. Note the use of three different “combination” func- 
tions involved in this process: (i) min was used as the conjunction function to 
define the certainty of the rule body as a whole, (ii) product (x) was used as the 
propagation function to define the certainty associated with the atom derived 
by this rule application, and (iii) max was used as the disjunction function to 
combine alternate derivations of the same atom A into a single certainty of A. 
This iterative process continues until it reaches an iteration at which no atom is 
derived with a higher/better certainty, assuming initially every atom is assigned 
the least certainty value 0, which corresponds to false in the standard logic. 

Efficient query processing and optimization for standard logic programs have 
been studied extensively and numerous compile-time and run-time techniques 
have been proposed and implemented in existing inference systems. Ceri et al. 
[1] includes an excellent survey of research in this direction. 

In the context of logic frameworks with uncertainty, even though there have 
been numerous proposals for AB/IB frameworks, there has been little progress 
in their effective and efficient implementation. Leach and Lu [13] discuss imple- 
mentation issues in the context of a multi-valued AB framework with a set-based 
semantics. However, query processing could be complicated when the semantics 
is based on multisets. In our attempt to redress this situation, we have been 
trying to lift the rich body of theory and techniques developed in the standard 
framework to these extended frameworks. Rather than attempt this for individ- 
ual frameworks, our approach has been to address this problem in a “framework 
independent” manner. To this end, we proposed a generic IB framework, called 
the parametric framework [10], which unifies and/or generalizes all the IB frame- 
works, and established that query programs in this framework have an equivalent 
declarative, fixpoint, and proof theoretic semantics. The parametric framework 
also provided a basis to study query optimization for the IB frameworks with 
uncertainty [12]. 

An indispensable, efficient run-time optimization technique for standard logic 
programs and deductive databases proposed as an alternative to the naive 
method is the semi-naive method, which tries to avoid or minimize repeated 
applications of rules at every iteration step. This is basically done by limiting 
the rule applications, at every iteration, to those rules for which we derived, 
in the previous iteration, at least “one new atom” in the rule body. It is also 
desired to use the semi-naive method for efficient evaluation of programs in the 
parametric framework. 

In this paper, we study efficient evaluation of logic programs with uncertainty. 
As we illustrate in the following section, a “straight” extension of the standard 
semi-naive method to take into account the presence of certainty values will not 
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work in general, simply because the results may not always coincide with the 
results obtained by the corresponding naive method with uncertainty. Our con- 
tribution in this work is thus proposing a “careful” extension of the standard 
semi-naive method for efficient evaluation of logic programs with uncertainty 
and establish its equivalence with the corresponding naive method with uncer- 
tainty. The ideas employed in this proposal may be adopted and used for the 
AB frameworks as well. We believe the proposed solution could be adopted in a 
more general context of fixpoint computation with aggregation. 

The rest of this paper is organized as follows. Next, we present a motivat- 
ing example. Section 3 includes a quick review of the parametric framework 
as a background. Section 4 provides a classification of disjunctions functions, 
which is essential to this wok. In section 5, we propose a semi-naive algorithm 
for fixpoint computation with uncertainty and establish its equivalence with the 
corresponding naive method. Section 6 includes highlights of a prototype sys- 
tem we developed which implements the proposed method. We also present our 
experimental results indicating the efficiency of the system for evaluating pro- 
grams with uncertainty. In section 7, we discuss conditions under which existing 
inference engines may be used for evaluating programs with uncertainty. Finally 
we provide a summary and concluding remarks. We assume that the reader is 
familiar with the foundations of logic programs [14] and deductive databases [1]. 



2 A Motivating Example 



We now illustrate that the naive and semi-naive methods in the standard frame- 
work may produce different results when uncertainty is present. For this, it is 
enough to limit the analysis to the following program P\ with uncertainty ex- 
pressed in propositional logic. 



Example 2.1. Let P\ be the 

; 0.5 
; 0.8 
1 



rq : B 
r 2 : C 
r 3 : A 



C; 



7*4 : A B, A ; 



following program with uncertainty. 



(ind, x , _) . 
(ind, x , x ) . 



The underlying certainty lattice in Pi is ([0, 1], <, min, max), with min as the 
meet operator and max as the join. The two facts rq and r 2 define the atom- 
certainty pairs B : 0.5 and C : 0.8, respectively. The certainty associated with 
rule r 3 is 1 and that of rule r 4 is 0.6. The triple (fd, f p ■ f c ) associated with each 
rule indicates the disjunction, propagation, and conjunction functions, respec- 
tively. The disjunction function ind in r4 is defined as ind(a,/3) = a + /3 — ax (3. 
It should be clear that the particular choice of the conjunction function in r 3 
is immaterial, indicated as in the sense that any “reasonable” conjunction 
function would return 0.8 as the certainty of the body of r 3 . 

Let us first consider a fixpoint naive evaluation of Pi, and then “adapt” a 
semi- naive method for evaluating it. We use A : a to denote an atom A and 
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its associated certainty a, and use Ij to denote the collection of atom-certainty 
pairs obtained at iteration j. Initially, / 0 = {A:0, P:0, C:0}, that is 
every atom is false. At iteration 1, we get I\ = {B : 0.5, C : 0.8} from rq 
and r%. These two facts are derived at every following iteration. This, as in the 
standard case, is a source of inefficiency. At iteration 2, we can apply and get 
I 2 = { A : 0.8, B : 0.5, C : 0.8}. At iteration 3, we have two derivations of A; 
one from with certainty 0.6 x 0.5 x 0.8 = 0.24, and the other from r% with 
certainty 0.8. The combined certainty of A is thus ind( 0.8, 0.24) = 0.848, and 
hence I 3 = {A : 0.848, B : 0.5, C : 0.8}. We continue to get two derivations of A 
at every following iteration. At iteration 4, we get A : 0.8 from and A : 0.2544 
from r4, which when combined give A : 0.85088, and thus I 4 = {A : 0.85088, B : 

0. 5, C : 0.8}. Since the certainty of A increases at every iteration, this process 
goes on and terminates only at the limit. 1 

To obtain the evaluation result at the limit, we adopt a recurrence relation 
based technique from [5], as follows. Let a n denote the certainty of A at iteration 
n. Then, the certainty a n +i of A at iteration n + 1 would be expressed as the 
recurrence relation: a n+ \ = 0.8 + 0.6 x 0.5 x a n — 0.8 x (0.6 x 0.5 x a n ). Let a 
denote the certainty of A at the limit, i.e., when n approaches to. This is obtained 
when a n +i = a n , indicating no change in A’s certainty. Using this equality, the 
above recurrence relation may be reduced to a = 0.8 + 0.3a — 0.24a, solving 
which yields a = 0.8/0.94. Therefore, the least fixpoint semantics of Pi using 
the naive method would be I u = {A : 0.85106, B : 0.5, C : 0.8}. 

Next we show that a “straight” extension of the semi-naive method will not 
work for evaluating Pi. This would also suggest that we may not use existing 
inference systems, as will be explained shortly. This is an unfortunate In fact, 
we noticed the above undesirable behaviour when our attempts to implement 
the probabilistic logic framework of Lakslrmanan and Sadri [8] in both XSB and 
CORAL failed. This suggests that, unfortunately, we may not be able to take 
advantage of existing powerful and efficient systems such as CORAL and XSB 
to evaluate some logic programs with uncertainty. Careful extensions are thus 
required in order to take advantage of these systems. 

The basic idea of the standard semi-naive method is to apply at each iteration 

1, every rule r for which we derived “something new” for the rule body at iteration 
i — 1. This something new conlcl be a new atom for a subgoal in the rule body, 
as in the standard case, or an atom but with a “better” certainty in our context. 
Extending this idea, we derive B : 0.5 and C : 0.8 at iteration 1. At step 2, 
we only apply and derive A : 0.8. At iterations 3 and after, we only apply 
r4 and continue to derive A with a better certainty at every following iteration. 
At iteration 3, we get A : 0.24 from r 4, which is then combined with the best 
certainty 0.8 of A known thus far, and hence I3 = {A : 0.848, B : 0.5, C : 
0.8}. At iteration 4, r4 derives A with certainty 0.2544 and consequently I 4 = 
{A : 0.886688, B : 0.5, C : 0.8}, which is incorrect and continues to yield 
accumulative wrong result in the limit. The recurrence relation that corresponds 
to this evaluation is: a n+ i = a n + 0.6 x 0.5 x a n — 0.3 x a^, solving which 

1 The underlying fixpoint operator is shown to be monotone and continuous [10]. 
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yields a = 1. That is, = {A : 1, £> : 0.5, C : 0.8}, which is incorrect, as 
predicted. This example suggests that care must be paid when extending the 
standard semi-naive method to develop a desired, efficient semi-naive method 
for programs with uncertainty. 

Some explanation is in order. An important property of a disjunction function 
fd ( ind in Pi) which causes this undesirable behaviour is that its result is always 
larger than its arguments (unless at least one of them is 1, the top). Note that 
unlike max which is a disjunction often used in programs with uncertainty, ind 
is sensitive to duplicates in that ind(a, a) = 2a — or ^ a , and hence every single 
derivation of an atom counts, in general. We thus need to collect the derivations 
as a multiset. Note that this is not to suggest that a user in a framework with 
uncertainty is forced to conceive of uncertainty as multisets. However, because of 
the way the fixpoint evaluation proceeds, different derivations of the same atom 
may yield a certainty multiple times. In such a case, a set-based structure often 
assumed may not correctly capture the semantics. It is the use of disjunctions 
such as ind that complicates query processing with uncertainty, an issue that is 
dealt with in this paper. 

This example also illustrates that the standard semi-naive method does not 
have a counterpart in deductive databases with uncertainty. It suggests that spe- 
cial book keeping is necessary, in general, in a semi-naive evaluation of programs 
with uncertainty to handle disjunctions such as ind. We remark that top-down 
inference systems compute in a similar way as explained, and hence similar book 
keeping maybe required also in such systems as well. 



3 The Parametric Parameter: A Review 

In this section, we recall the basic concepts and development of the parametric 
framework [10]. This includes an introduction of the parameters as well as the 
declarative and fixpoint semantics. 

The idea of the parametric framework inspired from our observation that a 
user in an IB framework specifies in the program, implicitly or explicitly, the 
following notions, or parameters as we called, defined as follows. (1) A (finite or 
an infinite) set of certainty values, called the certainty domain , denoted by T. 
It is often a partially ordered set and is assumed to be a complete lattice, (2) A 
family T p of propagation functions each of which is a mapping from T x T to T. 

(3) A family T c of conjunction functions , modeled in general as a mapping from 
finite multisets over T to T, since there could be several subgoals in a rule body. 

( 4 ) A family Td of disjunction functions , each of which is defined as a mapping 
from finite multisets over T to 7b Intuitively, a conjunction function returns the 
certainty of the rule body as a whole, and a propagation function associated 
with a rule combines the certainty of the rule body and the rule certainty and 
yields a certainty for the head atom. The disjunction function associated with 
a predicate is used to combine alternative derivations of the same ground atom 
into a single certainty of that atom. We refer to all these functions collectively 
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as combination functions T = P C A P p iJ P d . Using these parameters, we formally 
define the syntax of the parametric programs, as follows. 

Definition 3.1. A parametric program (p-program) P is a 5-tuple (T, TZ,T>, 
V,C), whose components are defined as follows: 

1. C = <T, A , ©> is a complete lattice, where T is a set of certainty values, 

partially ordered by ^ , <g> is the meet operator, and © is the join. The least 
element of the lattice is denoted by _L and the greatest element by T. 

2. 1Z is a finite set of parametric rules (p-rules, for short), each of which is an 
expression of the form: 

H <-2L 

where H, B ls *- -,B n are atomic formidas, and a is a certainty value in 

r-{©}. 

3. V is a mapping that associates with each predicate symbol p in P, a disjunc- 
tion function in T d . 

4- V is a mapping that associates with each p-rule in P a propagation function 
in T v . 

5. C is a mapping that associates with each p-rule in P, a conjunction function 
in T c . 

For ease of presentation, we write a p-rule as follows: 

r: H ^ B 1 ,...,B n - (f d ,f p ,f c ). 

where f d is the disjunction function, f p is the propagation function, and f c is the 
conjunction function. If A is an atomic formula, we use n(A) to denote the pred- 
icate symbol of A. For instance, if A = p(X i, • • • , Xk), then tt(A) = p. We also 
use Disj(n(A)) to denote the disjunction function associated with the predicate 
symbol of A. That is, if this disjunction function is f d , then Disj(Tr(A)) = f d ? 

We will use p-program and program interchangeably, and similarly for p- 
rule and rule. A p-rule with the empty body is called a fact. For a fact, the 
associated triplet would be of the form (f d ,_,_), where indicates the choice 
of conjunction (or propagation) functions is immaterial. In fact, the conjunction 
function is not even needed for facts, and any “reasonable” propagation function 
f p would return the same result. (See the postulates below.) 

The combination functions used in rule based systems are assumed, implicitly 
or explicitly, to possess certain “reasonable” properties, defined as follows. For 
simplicity, in our formulation of these properties, we model such a function as a 
binary mapping on T, when appropriate. This is quite meaningful, upon noting 
that these functions are assumed to be associative and commutative, as follows. 

1. Monotonicity : f(a i, 0 : 2 ) A / ( /3i , /3 2 ) , whenever ct; A /%, for i £ {1, 2}. 

2. Continuity: f is continuous (in the sense of Scott topology) w.r.t. each one 
of its arguments. 

2 As a consequence of this function definition and for “consistency” reason, we assume 
that the disjunction function associated with a predicate symbol p defined by every 
rule in a p-program is unique. 
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3. Bounded-Above: Van, 0:2 £ T: f(ot\, 02 ) A cc*, for * = 1,2. 

4. Bounded-Below: Vai,a 2 £ T: f ( 011 , 012 ) V a;*, for i = 1,2. 

5. Commutativity: f(a 1 , 02 ) = f ( 012 , 011 ), Vaq,a 2 £ T. 

6. Associativity: f(ai,f(a 2 ,a 3 )) = f(f(ai,a 2 ),a 3 ), \/a 1 ,a> 2 ,a 3 £ T. 

7. /(|a[) = a, Va £ T. 

8. /(0) = _L, where _L is the least element in T. 

9- /(0) — T, where T is the greatest element in T. 

10. f(a,T) = a, Va £ T. 

We require that (i) conjunction functions satisfy properties 1, 2, 3, 5, 6, 7, 9, 
10; (ii) propagation functions satisfy properties 1, 2, 3, 10; and (iii) disjunction 
functions satisfy properties 1, 2, f, 5, 6, 7, 8. 

A brief explanation for these postulations is as follows. This might help iden- 
tify opportunities to adapt and apply the proposed method in other fixpoint 
computations with aggregation, in general. The continuity of the combination 
functions is required in proving the continuity of the fixpoint operator Tp (de- 
fined below). The commutativity and associativity of conjunction functions were 
required for allowing a query optimizer to perform, e.g., subgoal reordering, if 
desired. The commutativity and associativity of the disjunction functions were 
needed so that the certainty obtained for each ground atom at each iteration is 
unique and is independent of the order in which the facts are derived and/or 
the certainties are combined in that iteration. Boundedness assumptions are im- 
posed in order that derivations make intuitive sense. Property 9 of a conjunction 
function together with property 10 of a propagation function allows the deriva- 
tion of a ground atom A with certainty a from the fact A < — . Property 8 has a 
similar rationale for disjunction functions. For practical reasons, we further as- 
sume that every combination function can be computed efficiently. In theory, we 
also assume that every such function can be computed with arbitrary precision. 

In order to handle disjunction functions which might be sensitive to dupli- 
cates, the semantics of the parametric framework is based on multisets. We use 
{ . . . f to represent multisets, and use 0 to denote the empty multiset. The declar- 
ative semantics of p-programs is defined as follows [10]. Let P be a p-program, 
and Bp be the Herbrand base of P. A valuation v of P is a mapping from Bp 
to T, which assigns to every ground atom in Bp, a certainty value in P. We 
denote the set of all valuations of P as Tp. A ground instance of a p-rule r in P 
is a rule obtained from r by replacing all occurrences of each variable in r with 
an element of the Herbrand domain. As in Datalog [1], since we do not allow 
function symbols in p-programs, the Herbrand domain of P will be finite as it 
would contain only constant symbols. The Herbrand instantiation of P , denoted 
as P* , is the collection of all ground instances of all p-rules in P. 

Let P* denote the ground instantiation of P and p = (A B\, ... , P„; 
( fd, fp, fc )) £ P* f> e any instance of rule r in P. The notion of satisfaction is 
defined as follows. We say that: 

(1) v satisfies p , denoted as \= v p, iff f p (a ri f c ({v(Bi), . . .,v(B n )})) A v(A). 

(2) v satisfies r, denoted as |=„ r, iff |=„ p, for every ground instance p of r. 

(3) v satisfies P , denoted as ]= t , P, iff Vr £ P, |=„ r, and VA £ Bp, fd(X) A v(A), 
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where X = jf p {a r , / c (MPi), . . . , v(B n )))\ \ (A B u . . . , B n ; ( f d ,f P ,fc )) 
€ P*}, and f d = Disj(n(A)). 

The ordering A on T is extended to valuations in the well-known manner: 
for any valuations u and v of P, v A u iff v(A) Au(A), for all A G Bp. For all 
valuations u, v of P and for all A G Bp, we have (1) (u®v)(A) = u(A)®v(A) 
and (2) (u©i>)(A) = u(A)©u(A). We have shown that (Tp,®, ©} is a complete 
lattice, in which v± is the least element mapping every atom in Bp to 1 G T, 
and v~r is the greatest element mapping every atom to T G T. The declarative 
semantics of a p-program is defined as the least valuation satisfying P, i.e., 
®{u v G T P and |=„ P}. 

The fixpoint theory developed for p-programs is based on the notion of the 
immediate consequence operator Tp, defined as a mapping from Tp to Tp, such 
that for every v G T P and every atom A G B P : T P (v)(A ) = fd(X), where 
fd = Disj(Tr(A)) , and X is the multiset of certainties of A defined as: 

X = l/ P (a n / c (MB 1 ),...,r(BJ) | (A ^ B lt . . . , B n - (f d J P J c )) £ P*b 
The bottom-up iterations of Tp is defined similar to the standard case. 

We established that Tp is both monotone and continuous, and that for any 
p-program P, the least fixpoint of Tp, denoted lfp{Tp), is equivalent to the 
declarative semantics of P. That is, lfp{Tp) = (g){i> | |=„ P} 

4 Classification of Disjunction Functions 

In this section, we study disjunction functions which is essential for understand- 
ing the difficulties of evaluating some logic programs with uncertainty. In [10], 
we classified the family P,i of disjunction functions into three types, called types 
1-3, defined as follows. 

Definition 4.1. Let fd be a disjunction function in the parametric framework. 
Then, we say 

(1) .fd is of type 1 provided, fd = ®, i.e., when fd coincides with the lattice join. 

(2) fd is of type 2 provided, ®(a,/3) -< fd{ot,0) -< T, for all a, (3 G T— {_L,T}. 

(3) fd is of type 3 provided, ®(a,/3) -< fd(a,/3) A T, for all a, (3 G T — {T,T}. 

Intuitively, a type 1 disjunction function means that it coincides with the 

join © operator in the underlying certainty lattice T, while type 2 functions are 
strictly greater than ©, whenever all its arguments are different from the bottom 
and top elements of the certainty lattice T. A type 3 disjunction function at some 
input arguments behaves like join and is strictly greater than join at other points. 
All these types of disjunction functions are assumed to satisfy the postulates 
introduced above. We emphasize the crucial role of disjunction functions in the 
problem we address in this paper and the solution technique proposed. On the 
other hand, conjunction and propagation functions introduce no concern in this 
regard. 

In the context of the parametric framework, we used the above classification 
to study query optimization [10] and complexity of query evaluations [22], In 
both studies, our focus was on disjunction functions of types 1 and 2, whose 
“behaviours” correspond to many known practical disjunction functions. 
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5 A Semi-naive Fixpoint Algorithm 

In this section, we propose a bottom-up semi-naive method for evaluating query 
programs with uncertainty, and establish its equivalence with the corresponding 
naive evaluation method. First, we provide a quick review of the naive method for 
p-programs. Even though our motivation for this work is to support disjunction 
functions of types 2, the proposed solution is applicable to p-programs with 
disjunction functions of any types (provided they satisfy the postulates). 

In a bottom-up naive method, every atom is initially assigned the least cer- 
tainty value, _L, i.e., every atom is initially assumed to be false. At each iteration, 
we fire all facts and all applicable rules, and collect the atom-certainty pairs de- 
rived as a multiset, noting that when applying a rule, we use the best certainty 
of each subgoal in the rule body to compute the certainty of the rule head. More 
precisely, the certainties derived at iteration i for atom A are collected as a mul- 
tiset Mi(A). At the end of iteration i, Mj(A) is combined into a single certainty 
for A. This is done by using the disjunction function f d associated with the 
predicate symbol of A , as specified in the p-program. This evaluation goes on to 
some iteration, possibly u>, at which no atom is derived with a “better” certainty. 
The evaluation method just described corresponds to the fixpoint computation 
developed by known logic frameworks proposed, obtained by a “straightforward” 
extension of the standard case, by taking into account the presence of certainties. 
The naive method is shown in Fig. 1. 

Procedure: Naive (P, D\ lfp(Tpun)) 
forall A £ Bp 

1 v 0 (A) := _L; 

2 Mi(A) := \a\ (A : a) € Dj- 

3 vi(A) := f d (Mi(A)), where f d = Disj(n(A)). 

end forall; 

4 New\ := {A \ (A : a) € D}\ i := 1; 
while ( NeWi yf 0) 

5 i := i + 1; 

forall (r:4 (f d , f p , f c )) e P*: 

6 Mi(A) := {/p(a r ,/ c ({u i _i(Pi),...,t; i _i(P„)]l-))|l-; 

7 Vi{A) := fd(Mi), where f d = Disj(n(A)y, 

end forall; 

8 NeWi := {A \ A G B P ,Vi(A) >- Uj_i (A)}; 

endwhile; 

9 lfp(T PUD ) := vp, 

end procedure 

Fig. 1. A naive algorithm for evaluating programs with uncertainty. 

We next extend the basic naive evaluation method described above and de- 
velop a semi-naive algorithm which produces the same result. The basic idea 
employed here is that we associate with every ground atom A, a pair (Mj,crj), 
where Mi is a multiset which includes all certainties of A derived so far since the 
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initial step, and er,; is A’s certainty obtained by “combining” the certainties in 
Mj. That is, 03 = fd(Mj), where fd = Disj(n(A)). If at iteration i + 1, there is 
an applicable instance of rule r which A as a subgoal, then a, is used as the best 
certainty of A in deriving the certainty of the rule head. Each element of the 
multiset M, (A) is of the form r : a , indicating a derivation of A with certainty 
a from rule r. It is important also to note that the use of multiset is crucial, as 
there could be multiple derivations of the same atom from the same rule in an 
iteration. For instance, there will be two derivations of p(l, 3) with the same cer- 
tainty from the rule p(X, Y) £ — e(X, Z), e(Z, Y), and the facts e(l, 2), e(2, 3), 
e(l,4), and e(4,3), all with the same certainty. 

The algorithm is presented in Fig. 2, which takes a collection D of atom- 
certainty pairs, (basically, the extensional database (EDB), and a collection P 
of p-rules, and produces the least model of the program, when the fixpoint of 
Tpud is reached, which is captured as the valuation Vj. We denote the multiset 
operation of union as U and the multiset difference as — , both of which respect 
duplicates. 

Procedure: Semi-Naive (P, D\ lfp(Tp u p))) 
forall A £ Bp : 

1 Vo(A) := -L; 

2 M\{A) := {a | (A : a) £ Dj- 

3 Vi(A) := f d (Mi(A)), where fd = Disj(it(A))\ 

end forall; 

4 New i := {A \ (A : a) £ D}- i := 1; 
while ( NeWi ^ 0) 

5 i := i + 1; 

6 forall A £ Bp : 

if 3 ( r :A^B U ,.., B n ; (f d , f p , f c )) £ P* 
such that 3 Bj £ Newi , for some j £ {1, . . . , n}: 
then begin 

7 Mi(A) := 

8 forall (r : A ^ B u . . . , B n ; (f d , f p , f c )) £ P* 
such that Bj £ Newi, for some j £ {1 , . . . , n}: 

9 Mi(A) := Mi{A)—{crl_ 1 {A)\(j\al{A)\, where 

<(-4) : = f P (ar, fcdvi-i^Bx), . . . ,Vi-i(B n )\))\ 

end forall; 

10 Vi(A) := f d (Mi(A)), where f d = Disj(Tr(A)); 

end; 

11 else Vi(A) := Vi-\{A)\ 

end forall; 

12 Newt := {A | A £ B P ,v l {A) >- Vi-i(A)}\ 

13 endwhile 

14 lfp(T PUD ) := Vi\ 

end procedure 

Fig. 2. A semi-naive algorithm for evaluating programs with uncertainty. 
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Initially in line 1, every atom is associated with (0,_L). In lines 2 and 3, we 
then revise the certainties of the atoms given as EDB facts. We also need to 
keep track of those atom-certainty pairs, where the certainty of the atom was 
increased compared to the previous iteration. This is done through the set Newt 
defined initially in line 4 and revised subsequently in line 12. At iteration i+ 1 , we 
select and apply those rules r, such that r has at least one subgoal B appearing 
in Newt, i.e. , the overall certainty of B was raised at iteration i. This is done in 
line 6 in the algorithm. When r is applied, the certainty of subgoal B used in 
this rule application is ct(M,;(I?)), shown in lines 3 and 10. At step i + 1, for every 
ground atom A : 7 derived by r, we remove from every derivation of 

A by r, and add certainty r : 7 to this multiset [T9]. In line 10, we compute the 
new overall certainty of A using the disjunction Disj(Tr(A)) associated with the 
predicate symbol of atom A. For atoms whose certainty did not increase, the 
valuation Vi(A) defined at iteration i would be the same as the old one, Vi-i(A). 
This is done in line 11. After all applications of possible rules at iteration i, 
we are able to define the set of NeWi of atoms whose certainties are increased. 
This is done in line 12. If this set is empty, then the evaluation terminates and 
the result 17 is returned, as shown in line 14. Otherwise, the execution of the 
algorithm at the while loop continues. 

A crucial statement to note is the multiset of certainties collected in line 9, 
which is a basis for correctness of this algorithm, making the result at every 
iteration to be identical to the naive method. It ensures that no derivation of A 
from the same rule r at iteration i is mixed with the derivations of A by r at 
earlier iterations. This is the problem we observed with the standard semi-naive 
technique resulted in wrong computation, as explained in section 2. This maybe 
stated as a correctness requirement as follows. “If disjunction functions of types 
2 and 3 are present in a p-program, an evaluation procedure should combine 
the certainties of atoms derived at the same iteration, and not combine newly 
derived certainties with prior certainties of the same atom from the same rule.” 

A point of avoiding redundancy is that we do not need to keep track of all 
previous derivations of A by r; it is enough to consider every derivations of A 
obtained at the previous iteration. The basis for this is as follows. If r is not 
a recursive rule, then in a semi-naive evaluation, it will be applied only once 
to derive an atom from a rule instance. On the other hand, if r is recursive 
rule which derived atom A at iteration i, this rule will continue derive A at 
every subsequent iteration. In this case, if i is the first time we derived A by 
r, the multiset difference operation in line 9 does nothing. Otherwise, this line 
ensures the above correctness requirement. This is a key observation which also 
allows efficient implementation of this method in terms of time and memory 
requirements. The above arguments provide a basis for the proof of the following 
result. 

Theorem 5.1. Let P be any p-program in the parametric framework and D be 
a collection of facts. A fixpoint computation of P over D using the semi-naive 
method proposed above produces the same residt as the naive method. 
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Let us consider the program Pi of section 2 again to explain the steps of this 
algorithm. Initially, every ground atom is assigned the certainty 0. At iteration 
1 we obtain I\ = {rq : B : 0.5, r 2 : C : 0.8} from rq and r 2 ■ At iteration 2, we 
apply ?" 3 , and hence I 2 = {r 3 : A : 0.8, r\ : B : 0.5, r 2 : C : 0.8}. At iteration 3, 
we apply 7*4 and use 0.8 as the certainty of A in the rule body. This yields A with 
certainty 0.6x0. 5x0 . 8 = 0.24. The multiset M 3 (A) associated with A at iteration 
3 would thus include r 3 : 0.8 and r 4 : 0.24, and the certainty of A at this iteration 
is improved to ind( 0.8,0.24) = 0.848. At iteration 4, we apply r 4 again, using 
0.848 in the rule body as the certainty of A. This yields r 4 : A : 0.2544, which 
replaces the derivation : A : 0.24 in M^A). Therefore, Mj(A) = {0.8, 0.2544}, 
and hence A’s certainty at iteration 4 would be ind( 0.8, 0.2544) = 0.85088. Since 
the certainty of A improves at every iteration, this computation will terminate 
only in the limit. Since the certainty values obtained and combined at every 
iteration for each atom are identical with those obtained in the naive method, 
the semi-naive method produces the same result as the naive method. 

It is not hard to convince ourselves that the proposed method extends the 
standard fixpoint evaluation upon noting that the disjunction function in the 
standard framework is max, indicating that duplicate values collected as a mul- 
tiset in line 9 of the algorithm may be ignored by collecting them as a set. 

6 Implementation and Experimental Results 

In order to determine the practical merits of the proposed algorithm, we de- 
veloped a system prototype in C+- 1 - which can evaluate a program with uncer- 
tainty using either the naive method or the semi-naive, determined by the user. 
To measure the efficiency of the proposed technique, we conducted a number 
of experiments of evaluating p-programs and compared the execution time of 
these two techniques. For this, we considered two classes of logic program with 
uncertainty computing the transitive closure of a binary predicate p. The first 
p-program P 2 includes rq and r 2 defined below and the second program P 3 in- 
cludes rq and 7-3. Note that P 2 is a linear (recursive) program whereas P3 is a 
double recursive program. 

O : p(X,Y) e(X,Y); ( ind,x ,_ ). 

r 2 : p(X, Y) -e-L e(X,Z), p(Z,Y ); ( ind , x, x). 

r 3 :p(X,Y) p(X, Z), p(Z,Y); (ind, x, x). 

We considered a collection of EDB facts with different number of tuples. Each 
collection in our experiment included cyclic data of the form: e(0, 1 ), e(l, 2 ), • • • , 
e(n, 0), for n = 10AT, where 1 < K < 15. As with the rules, the certainty 
associated with every tuple was set to 1. Our choice of this certainty value 
because we wanted to compare the “timing” with timing of an existing powerful 
deductive database such as CORAL [19], even though the actual certainties 
computed would not be identical, in general, if the certainties of the rule were 
different than the value 1 we chose. 
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Table 1. Summary of our experiment results for program P 2 . 



Number of 
EDB Tuples 


Number of 
IDB Tuples 


Number of 
Iterations 


Time (Sec) 
Naive 


Time (Sec) 
Semi-Naive 


Speed-up 
(N to SN) 


Time (Sec) 
CORAL 


10 


100 


11 


0 


0.07 


0 


1.21 


20 


400 


21 


2 


0.39 


5.1 


4.84 


30 


900 


31 


11 


1.4 


7.9 


10.79 


40 


1,600 


41 


36 


3.69 


9.8 


19.35 


50 


2,500 


51 


92 


8.15 


11.3 


30.31 


60 


3,600 


61 


198 


15.97 


12.4 


42.29 


70 


4,900 


71 


392 


27.61 


14.2 


60.19 


80 


6,400 


81 


715 


45.17 


15.2 


78.28 


90 


8,100 


91 


1246 


69.83 


17.8 


96.79 


100 


10,000 


101 


2,010 


103.10 


19.5 


120.99 


110 


12,100 


111 


3,141 


142.96 


22 


146.70 


120 


14,400 


121 


4,787 


193.59 


24.5 


171.12 


130 


16,900 


131 


7,090 


257.53 


27.5 


209.10 


140 


19,600 


141 


10,059 


341.50 


29.5 


241.52 


150 


22,500 


151 


14,114 


446.68 


31.6 


279.57 



To conduct the experiments, we used a desktop computer with 2 CPUs (Ultra 
Sparc-II) running at 296 MHz, with 100 MB of RAM and 4.2 GB hard disk, 
under the Solaris 8 operating system. The experimental results are illustrated 
in Tables 1 and 2. Table 1 shows the time measured in seconds for evaluating 
query p(X, Y) on the program P2 with different EDB sizes, identified in the 
first column, in terms of the number of tuples. The 4th column in these tables 
includes the timing of the basic naive method with uncertainty and column 5 
includes the timing of the semi-naive. Column 6 in Table 1 shows the speed-up 
achieved by the semi-naive method over the naive method, obtained by dividing 
the corresponding time measures of the naive to the semi-naive case. We can see 
from this table that the speed-up achieved on average is about 17 times. This 
is a significant improvement upon noting that the index structure developed 
was not sophisticated. Finally, the last column in Table 1 shows the time it 
took to evaluate the standard transitive closure program in CORAL with the 
corresponding EDB facts. As we can see, CORAL outperforms our prototype 
system with a factor of 1.5 times on large EDB sets of 120 tuples or more, which 
is not a bad result as our first implementation attempt. Table 2 includes the 
timing we obtained in evaluating the double recursive program P3 in an attempt 
to assess the efficiency of our system prototype. The average speed-up we got in 
this case is about 14. As we can see, CORAL is 6 times faster for the data set of 
size 120 tuples. Recall that in this case, CORAL evaluates the double recursive 
program in standard logic without having to deal with uncertainty values and 
functions. 
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Table 2. Summary of our experiment results for program P 3 . 



Number of 
EDB Tuples 


Number of 
IDB Tuples 


Time (Sec) 
Naive 


Time (Sec) 
Semi-Naive 


Speed-up 
(N to SN) 


Time (Sec) 
CORAL 


10 


100 


1 


0.16 


6.3 


0.07 


20 


400 


7 


1.11 


6.3 


0.49 


30 


900 


28 


3.33 


8.4 


1.46 


40 


1600 


132 


12.71 


10.4 


3.39 


50 


2500 


285 


24.59 


11.6 


6.56 


60 


3600 


566 


44.2 


12.8 


11.26 


70 


4900 


1765 


121.48 


14.5 


18.39 


80 


6400 


2809 


177.79 


15.8 


26.77 


90 


8100 


4297 


246.28 


17.4 


37.91 


100 


10000 


6420 


335.02 


19.2 


51.99 


110 


12100 


9659 


436.89 


22.1 


69.02 


120 


14400 


14482 


568.97 


22.5 


91.92 



7 Discussions 



In this section, we discuss when the proposed method could/should be used as 
an alternative to existing evaluation methods. Our objective here is to provide 
some intuitive arguments in a rather informal way. 

An important question at this point is that: when can we use existing bottom- 
up (or top-down) inference systems to evaluate IB programs with uncertainty? 
In fact, our first attempt to implement the parametric framework was to use 
Coral [19] and XSB [20], both of which are powerful and efficient systems, and 
support multisets, among other interesting and features. We could successfully 
implement the IB frameworks which use sets as the basis of their semantics 
structure. A version of Coral was provided to us which also supports an anno- 
tation, called @aggsel_per_iteration, which would be useful in our context if 
we could change the default evaluation method of Coral to be naive, but then it 
would be inefficient when the EDB is large. 

Returning to our question that when we may take advantage of existing 
efficient engines, we note that there are three factors influential here. (1) the 
program structure, being recursive or otherwise, (2) the data being “cyclic” or 
not, and (3) existence of a recursive predicate in the program which is associated 
with a strict disjunction fd , as defined in section 4. The third condition holds 
when /d(a,/3) >*- ®{a,/3}, whenever a and /3 are both different than _L and T. 
This intuitively means that the result of fd is always “better” than its arguments. 
If any of these conditions fails to hold, we can luckily use the existing systems to 
evaluate such programs. On the other hand, our algorithm may always be used, 
in particular when all the above conditions hold. In this case, the book keeping 
in our algorithm is required only for recursive predicates which are associated 
with a strict disjunction such as fd- 
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We also remark that using a combination of the rule id and atom pair of the 
form (ri,A) as an alternative technique to implement the desired computation 
while avoiding the complication of dealing with multisets will not work since 
in this case, we cannot distinguish two (or more) derivations of the same atom 
by the same rule in the same iteration step. For instance, consider a program 
with the rules: rq : p(A,B) ^ — e(A,B) and r 2 : p(A, B) e(A,C), p(C,B), 
and the facts e(l,2), e(l,3), e(2,4), and e(3,4), all with certainty 1. In this 
example, using the pair r 2 ,p( 1,4) to annotate derivations of p{ 1,4) by r 2 will 
result in loosing one of the two and hence wrong computation, if the disjunction 
function associated with predicate p is e.g., ind. 

We believe that the proposed method can be adapted in some more general 
context of fixpoint computation with aggregation in which it is important to 
collect derivations as multisets and in which the aggregation functions used are 
strictness and subject to the same properties as disjunction functions in the 
parametric framework. Also, even though our focus in this work was on the IB 
frameworks, the method developed can be adapted to AB frameworks as well. 

8 Concluding Remarks 

In this paper, we studied evaluations of logic programs and deductive databases 
in the context of the parametric framework over the complete lattice [0,1]. We 
assumed that arithmetic computations over reals could be carried out with 
arbitrary precision. We illustrated that the standard semi-naive evaluation 
method does not have a counterpart in logic programs with uncertainty. Our 
motivation in this work was to fill this gap and proposed a desired evaluation 
method which is equivalent to the naive method. Our implementation of the 
proposed method and the experimental results obtained show that the proposed 
method together with some basic heuristics we used in the construction of 
a hash-based structure in the prototype system developed support a desired, 
efficient fixpoint computation with uncertainty. We are currently pursuing some 
ideas to further improve the efficiency of the system. Preliminary results in 
this direction are encouraging. In other directions, we would like to extend our 
method to handle negation in the parametric framework [25,26]. 



Acknowledgements. The authors are grateful to anonymous referees for their 
helpful comments. 



References 

1. Ceri S., Gottlob G., and Tanca L. Logic programming and Databases. Berlin, New 
York: Springer- Verlag, 1990. 

2. Dubois Didier, Lang Jerome, and Prade Henri. Towards possibilistic logic pro- 
gramming. In Proc. 8th Inti. Conf. on Logic Programming, pages 581-596, 1991. 




Challenges in Fixpoint Computation with Multisets 



289 



3. Fitting M.C. Logic programming on a topological bilattice. Fundamenta Infor- 
maticae, 11:209-218, 1988. 

4. Fitting M.C. Bilattices and the semantics of logic programming. Journal of Logic 
Programming, 11:91- 116, 1991. 

5. Kifer, M. and Li, A. On the semantics of rule-based expert systems with uncer- 
tainty. In M. Gyssens, J. Paradaens, and D. van Gucht, editors, 2nd Inti. Conf. on 
Database Theory, pages 102 117, Bruges, Belgium, August 31-September 2 1988. 
Springer- Verlag LNCS-326. 

6. Kifer M. and Subrahmanian V.S. Theory of generalized annotated logic program- 
ming and its applications. Journal of Logic Programming, 12:335-367, 1992. 

7. Lakshmanan, Laks V.S. An epistemic foundation for logic programming with 
uncertainty. In Proc. lfth Conf. on the Foundations of Software Technology and 
Theoretical Computer Science (FST and TCS’94). Springer- Verlag, LNCS-880, De- 
cember 1994. 

8. Lakshmanan, Laks V.S. and Sadri, F. Probabilistic deductive databases. In Proc. 
Inti. Logic Programming Symposium, pages 254-268, Ithaca, NY, November 1994. 
MIT Press. 

9. Lakshmanan Laks V.S. and Sadri F. Modeling uncertainty in deductive databases. 
In Proc. Inti. Conf. on Database Expert Systems and Applications (DEXA ’94), 
Athens, Greece, September 1994. Springer- Verlag, LNCS-856. 

10. Lakshmanan, Laks V.S. and Shiri, Nematollaah. A parametric approach to deduc- 
tive databases with uncertainty. In Proc. Inti. Workshop on Logic in Databases 
(LID’96), pages 61-81, San Miniato, Italy, July 1996. Springer- Verlag, LNCS-1154. 

11. Lakshmanan, Laks V.S. and Shiri, Nematollaah. Logic programming and deductive 
databases with uncertainty: A survey. In Enclyclopedia of Computer Science and 
Technology, volume 45, pages 153-176. Marcel Dekker, Inc., New York, 2001. 

12. Lakshmanan Laks V.S. and Shiri Nematollaah. A parametric approach to de- 
ductive databases with uncertainty. IEEE Transactions on Knowledge and Data 
Engineering, 13(4):554-570, 2001. 

13. Leach Sonia M. and Lu James J. Query processing in annotated logic programming: 
Theory and implementation. Journal of Intelligent Information Systems, 6(1) :33- 
58, January 1996. 

14. Lloyd J. W. Foundations of Logic Programming. Springer- Verlag, second edition, 
1987. 

15. Ng R.T. and Subrahmanian V.S. Relating Dempster-Shafer theory to stable se- 
mantics. Tech. Report UMIACS-TR-91-49, CS-TR-2647, Institute for Advanced 
Computer Studies and Department of Computer Science University of Maryland, 
College Park, MD 20742, April 1991. 

16. Ng R.T. and Subrahmanian V.S. Probabilistic logic programming. Information 
and Computation, 101(2):150-201, December 1992. 

17. Ng R.T. and Subrahmanian V.S. A semantical framework for supporting subjec- 
tive and conditional probabilities in deductive databases. Automated Reasoning, 
10(2):191-235, 1993. 

18. Parsons, S. Current approaches to handling imperfect information in data 
and knowledge bases. IEEE Transactions on Knowledge and Data Engineering, 
8(3):353-372, 1996. 

19. Ramakrishnan R., Srivastava D., and Sudarshan S. CORAL: Control, relations, 
and logic. In Proc. Inti. Conf. on Very Large Databases, 1992. 

20. Sagonas Konstantinos, Swift Terrance, and Warren David S. XSB as an efficient 
deductive database engine. In Proc. of the ACM SIGMOD Inti. Conf. on the 
Management of Data, pages 442-453, Minneapolis, Minnesota, May 1994. 




290 N. Shiri and Z.H. Zheng 



21. Shapiro E. Logic programs with uncertainties: a tool for implementing expert 
systems. In Proc. IJCAI’83, pages 529-532. William Kaufmann, 1983. 

22. Shiri, Nematollaah. Towards a Generalized Theory of Deductive Databases with 
Uncertainty. PhD thesis, Department of Computer Science, Concordia University, 
Montreal, Canada, August 1997. 

23. Subrahmanian V.S. On the semantics of quantitative logic programs. In Proc. fth 
IEEE Symposium on Logic Programming, pages 173-182, Computer Society Press, 
Washington DC, 1987. 

24. van Emden M.H. Quantitative deduction and its fixpoint theory. Journal of Logic 
Programming, 4(l):37-53, 1986. 

25. Yann Loyer and Umberto Straccia. The well-founded semantics in normal logic 
programs with uncertainty. In Proc. of the 6th Int’l Symp. on Functional and Logic 
Programming (FLOPS ’02), LNCS 24)1, pages 67-78. Springer Verlag, 2002. 

26. Yann Loyer and Umberto Straccia. Default knowledge in logic programs with 
uncertainty. In Proc. of the 19th Int’l Conf. on Logic Programming (ICLP ’03), 
Mumbai, India, Dec. 9-13, 2003. 




Towards a Generalized Interaction Scheme for 
Information Access 



Yannis Tzitzikas 1 , Carlo Meghini 2 , and Nicolas Spyratos 3 

1 Information Technology, VTT Technical Research Centre of Finland 
ext-yannis . tzitzikasOvtt . f i 

2 Istituto di Scienza e Tecnologie dell’ Informazione [ISTI] , CNR, Pisa, Italy 

meghiniOisti . cnr . it 

3 Laboratoire de Recherche en Informatique, Universite de Paris-Sud, France 

spyratosOlri . f r 



Abstract. We introduce the formal framework of a generalized in- 
teraction scheme for information access between users and informa- 
tion sources. Within this framework we describe an interaction man- 
ager which supports more complex interaction schemes than those that 
are supported by existing systems, including: query by example, an- 
swer enlargement/reduction, query relaxation/restriction, index relax- 
ation/contraction, ’’relevance” feedback, and adaptation facilities. We 
give the foundations of this interaction manager from a mathematical 
point of view, in terms of an abstract view of an information source. 



1 Introduction 

Information sources such as information retrieval systems [2], or databases and 
knowledge bases [12], aim at organizing and storing information in a way that 
allows users to retrieve it in a flexible and efficient manner. Commonly, for 
retrieving the desired information from an information source, the user has to 
use the query language that is provided by the system. 

We propose an interaction scheme whose objective is to make the desired ob- 
jects easy to find for the user, even if the source has a query language which 
is unknown to the user. This scheme is actually a generalization of the in- 
teraction schemes that are currently used by information systems. In partic- 
ular, we describe an interaction manager which supports several kinds of in- 
teraction, including: query by example, index relaxation/contraction, query re- 
laxation/restriction, answer enlargement/reduction, ’’relevance” feedback, and 
adaptation facilities, in a uniform manner. 

We view the interaction of a user with the information source as a sequence of 
transitions between contexts where a context is a consistent ’’interaction state”. 
The user has at his/her disposal several ways to express the desired transition. 
Then, it is the interaction manager that has to find (and drive the user to) 
the new context. Methods allowing the user to specify a transition relatively 
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to the current context are also provided. Furthermore, we describe methods for 
restricting the set of transitions to those that can indeed lead to a context. As we 
shall see below, the unified interaction scheme that we introduce allows defining 
more complex interaction mechanisms than those that are supported by existing 
systems. We describe this scheme in terms of an abstract view of a source. 

The paper is organized as follows. Section 2 introduces contexts and context 
transitions. Section 3 describes how context transitions can be specified using 
replacements. Section 4 describes how the interaction manager can find a new 
context after a context transition specification. Section 5 introduces relative 
replacements and Section 6 describes context transitions using restricted relative 
replacements. Section 7 concludes the paper and identifies issues for further 
research. 



2 A Context-Based Interaction Scheme 

We view a source S' as a function S : Q — > A where Q is the set of all queries that 
S can answer, and A is the set of all answers to those queries, i.e. A={ S(q ) | q G 
Q}. As we focus on retrieval queries, we assume that A is a subset of T(Obj), 
the powerset of Obj, where Obj is the set of all objects stored at the source. 

Let S be the set of all sources that can be derived by ’’updating” the source 
S (e.g. for adapting it), but for the moment let us suppose that S is the set of 
all functions from Q to T(Obj). 

Let U denote the set of all triples in SxQ x A, i.e. U = SxQ x A. A triple 
c = (S, q,A) G U is called an interaction context, or context for short, if S(q) = A. 
Let C denote the set of all contexts, i.e. C= { (S, q,A) G U |S(<;) = A}. Given 
a context c = (S,q,A), S is called the source view of c, q is called the query 
of c and A is called the answer of c. The interaction between the user and the 
source is carried out by a software module called Interaction Manager (IM). 
We view the interaction of a user with the source as a sequence of transitions 
between contexts. At any given time, the user is in one context, the focal context. 
At the beginning of the interaction with the system the user starts from the 
initial context (S, e, 0) where S is the stored information source, e is the empty 
query and 0 is the empty answer 1 . There are several methods the user can use 
for moving from one context to another, i.e. for changing the focal context. 
For example, in the traditional query-and-answer interaction scheme, the user 
actually ’’replaces” the current query q by formulating a new query q' and the 
’’interaction manager” drives him to the new context (S', q ' , A') where A! — S(q'). 
However this is only one way of changing the focal context. Several other ways 
will be presented below. 

At first we introduce some preliminary material. There are three partially 
ordered sets (posets) that can be exploited by the interaction manager: 



1 We assume that S(e) = 0 therefore (S, e, 0) is a context. 
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— The poset of answers (V(Obj), C) 

— The poset of queries (Q,<). Given two queries q and q' of Q , we write 
q < q' iff S(q) C S(q') in every possible source S in S. We write q ~ q' is 
both q < q' and q' < q hold. Let Q ^ denote the set of equivalence classes 
induced by ~ over Q. 

— The poset of sources (S, C). Given two sources S and S' in S, S C S' iff 
S(q) C S'(q) in every query q £ Q. 

For every element x of the above lattices, we shall use Br( x) to denote the 
elements that are greater than or equal to x, and Nr(x) to denote the elements 
that are less than or equal to x in the corresponding poset. 

3 Context Transition Specifications (CTSs) through 
Replacements 

At first we study the case where the user replaces one component of the focal 
context (i.e. either S, q or A) by another component by explicitly providing the 
new component. Later on, we will further study these replacements and we will 
describe methods that allow the user to specify the desired replacement without 
having to provide explicitly the new component (i.e. methods for defining the 
new component relatively to the current). 

The replacements that can be applied to a context c = (S, q, A) can be: 

(a) query replacement, denoted by [q — > q'], 

(b) answer replacement, denoted by [A — » A'], and 

(c) source view replacement, denoted by [5 — > S'] 

As mentioned earlier, the user should always be in a context i.e. in a triple 
(S,q,A) where S(q) = A. This means that after any of the above kinds of 
replacement, the interaction manager should try to reach a context d by changing 
one (or both) of the remaining two components of the focal context. Instead of 
leaving the IM to decide, it is the user that indicates to the IM the component (s) 
to be changed during a replacement. A replacement plus an indication of the 
above kind, is what we call a Context Transition Specification (CTS). Below we 
discuss each possible CTS, assuming a focal context (S,q,A). For each CTS, 
we also discuss the motivation beneath. We do it in brief because we mainly 
focus on founding this interaction scheme from a mathematical point of view. 
However, we think that the set of CTSs that we propose are elemental, in the 
sense that other more sophisticated interaction schemes can be analyzed using 
the set of CTSs that we propose. 

Query replacement [q — > q'\ 

— [q q'/A ] 

Here the answer A must be changed. This is the classical query-and- answer 
interaction scheme: when the user replaces the current query q with a new 




294 Y. Tzitzikas, C. Meghini, and N. Spyratos 



query q ' , the user is given a new answer (i.e. an A! such that A' = S{q')). 
Thus we can write: [q —¥ q'/A](S, q , A) = (5, q', S(q')). 

~ [<1 Q 1 / S ] 

Here the source view S must be changed. This means that the user replaces 
the current query q by a query q' , because the user wants the current answer 
A to be the answer of c/, not of q. The IM should try to ’’adapt” to the 
desire of the user by changing the source view from S to an S' such that 

W) = A. 



Answer replacement [A — > A’] 

~ [A — > A! I q] 

Here the query must be changed. This interaction scheme may help the user 
to get acquainted with the query language of the source. It can be construed 
as an alternative query formulation process. The user selects a number of 
objects (i.e. the set A’) and asks from the IM to formulate the query that 
’’describes” these objects. Subsequently the user can change the query q' 
in a way that reflects his/her information need. Roughly this resembles the 
Query By Example (QBE) process in relational databases. It also resembles 
the relevance feedback mechanisms in Information Retrieval systems. For 
example, the user selects a subset A! of the current answer A consisting 
of those elements of A which the user finds relevant to his/her information 
need. Subsequently, the IM has to change appropriately the query. 

- [A -»• A'/S\ 

Here the source view S has to be changed. This case resembles the CTS 
[q —> q'/S] that was described earlier. Here the user wants A! (instead of A) 
to be the answer of q. The IM should try to adapt to the desire of the user 
by changing the source view from S to an S' such that S'(q) = A! . 



Source view replacement [5 — > S'] 

- [S -+ S' /A] 

Here the answer A must be changed. This is the classical interaction scheme: 
whenever the source changes (e.g. after an update) the answers of queries 
change as well, i.e. here we have A! = S'(q). 

~ [S S'/q) 

Here the query q must be changed. This resembles the way that a relational 
database management system changes the query q that defines a relational 
view, after an update of the database, in order to preserve the contents 
(tuples) of the view. 

We have seen six kinds of context transition specifications. Table 1 summa- 
rizes the above discussion and it also includes the cases where the IM can change 
two components of the focal context during one transition. In summary, the user 
has 9 different ways to specify the desired context transition. 
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Table 1 . Replacements and possible reactions of the interaction manager 



Replacements on c = ( S , q, A) 




Query Replacement [ q — ¥ q'] 


(S,q\ A') 


(S \q',A) 


(S', q' , A') 


Answer Replacement [A — » A'] 


(S,q',A') 


(S',q,A') 


(S'.q'.A') 


Source View Replacement [S — »• S"[ 


(S’,q!,A) 


(S',q, A') 


(S',q',A') 



4 Finding the Target Context (s) 

Given a focal context c and a context transition specification R, the role of the 
IM is to find the desired context R(c), if one exists. 

Searching for an answer (in the cases [q —> q' /A] and [S' —> S' /A\) 

The cases in which the interaction manager has to change the answer in 
order to reach to a context (i.e. after a query or source replacement), are rela- 
tively simple: the desired context always exists and the desired answer A' can 
be derived using the query evaluation mechanism of the source. In particular, in 
the case [q —> q 1 /A) (’’query replacement - change of answer”) the new context 
is (S, q' , S(q')), while in the case [S — )• S' /A] (’’source replacement - change of 
answer”) the new context is (S', q , S'(q)). 

The cases in which the interaction manager has to find a new query or a 
new source view are less straightforward. The main problem is that the desired 
context does not always exist. 

Searching for a query q (in the cases [A — > A' /q\ and [S' —> S'/q]) 

In cases [A A' /q] and [S —> S'/q] we are looking for a q £ Q such that 

S(q) = A for given S and A. Let us first try to define a ’’naming service”, i.e. a 
method for computing one or more queries that describe (name) a set of objects 
A C Obj . For supporting the naming service we would like to have a function 
n : V(Obj) —> Q such that for each A C Obj, S(n(A)) = A. Having such a 
function, we would say that the query n(A) is an exact name for the object set 
A. Note that if S is an onto function then the naming function n coincides with 
the inverse relation of S, i.e. with the relation S ^ 1 : V(Obj) —> Q. However, 
this is not always the case, as more often than not, S is not an onto function, 
i.e. A C V{Obj). Furthermore, if S is onto and one-to-one, then S ' -1 is indeed a 
function, thus there is always a unique q such that S(q) = A for each A C Obj 2 . 

As S is not always an onto function, we shall introduce two ’’approximate” 
naming functions, a lower naming function n~ and an upper naming function 
n + . We can define the function n~ and n + as follows: 

n~(A) = lub{ q £ Q \ S(q) C A} 
n + (A) = glb{ q&Q \ S{q) O A} 

2 Usually, sources are not one-to-one functions. For instance, the supported query 
language may allow formulating an infinite number of different queries, while the set 
of all different answers A is usually finite (e.g. V(Obj)). 
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where A is any subset of Obj. Now let A be a subset of Obj for which both 
n~(A) and n + (A) are defined (i.e. the above lub and gib exist). It is clear that 
in this case it holds: 



S(n~(A)) acS(n+(i)) 

and that n~{A) and n + (A) are the best ” approximations” of the exact name of 
A. Note that if S(n~(A)) = 5(n + (A)) then both n~(A) and n + (A) are exact 
names of R. If Q is a query language that (a) supports disjunction (V) and 
conjunction (A) and it is closed with respect to both these operations, and (b) 
has a top (T) and a bottom (_L) element such that S(T) = Obj and 5(_L) = 0, 
then the functions n~ and n + are defined for every subset A of Obj. Specifically, 
in this case (Q~, <) is a complete lattice, thus these functions are defined as: 

n~(A) = \J{ q eQ\ S(q ) C A} 
n + {A ) = /\{q€Q\ S(q) 2 A} 



As Q is usually an infinite language, n~(A) and ?r + (A) are queries of infinite 
length. This means that in practice we also need a method for computing a 
query of finite length that is equivalent to n~(A) and another that is equivalent 
to n + (A). If however Q does not satisfy the above conditions (a) and (b), then 
n~ (A) and n + (A) may not exist. For such cases, we can define n~ and n + as fol- 
lows: n~(A) = max{ q £ Q \ S(q) C A} and n + (A) = min{ q £ Q \ S(q) 2 A}, 
where max returns the maximal element (s), and min the minimal element (s). 
Clearly, in this case we may have several lower and upper names for a given A. A 
specialization of these naming functions for the case of taxonomy-based sources 
is described in [10]. 

Let us now return to our problem. If a naming function ns is available for 
source S, then the context we are looking for exists and can be found as follows: 



[A —• > A'/q](S, q, A) — (S,ns(A r ), A') 

- [S ^ S' /q\(S,q,A) = (S' ,n S ’(A),A) 

If only approximate naming functions are available, then two ’’approximate” 
next contexts exist: 



[A — > A! I < 7 ] (5', q , A) 
- [S S'/q](S,q, A) 



US,n~ s {A!),S{n- s {A'))) 

\(S,n+(A'),S(n+(A'))) 

[{S',n- s ,{A),S'{n- s ,{A))) 

\{S',nUA),S'{n- s ,{A))) 



Notice that in the above cases, IM does not change only q, but also the 
answer. In the case [A — > A' /q\, the new context has an answer, say A”, which 
is the closest possible to the requested (by the user) answer A! . In the case 
[5 —> S'/q], the new context has an answer A' which is the closest possible to 
the current A. 
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Searching for a source view S (in the cases [A — > A' / S\ and [<7 — »• q' / S]) 
In cases [A A! /S\ and [q —> q'/S } we are looking for a S £ S such 
that S(q) = A for given q and A. Note that the desired source S always exists 
if and only if S is the set of all functions from Q to A. We cannot describe 
any mechanism for finding the desired S' within such an abstract framework. 
However, later on we shall see how restricted relative replacements and a source 
relaxation/contraction mechanism can be exploited in order to support this kind 
of interaction. 

The following list summarizes how the IM can find the target context after 
each kind of CTS: 

(1) [q —> q'/A](c) = (S,q' , S(q')), i.e. it relies on query evaluation 

(2) [S S’ /A]{c) = (S', q, S'(q)), i.e. it relies on query evaluation 

(3) [A A’ /q\(c) = (S,ns(A'),A'), i.e. it relies on naming functions 

(4) [5 —> S' /q](c) = (5", ns'(A), A), i.e. it relies on naming functions 

(5) [A A'/S\(c) =?, i.e. this is an open issue 

(6) [q —> q'/S](c) =?, i.e. this is an open issue 

5 Relative Replacements and Relative CTSs 

Until now we have described how the IM could react to a context transition 
specification. Now we shall focus on the replacements. Certainly, the user can 
manually specify a replacement, e.g. submit a new query, select a set of objects 
A! C Obj, or update the source S by adding, deleting or modifying some of the 
contents of S. 

Here we describe methods that allow the user to specify the desired replace- 
ment without having to provide explicitly the new component, i.e. methods for 
defining the new component relatively to the current. These methods can be 
helpful for the user during the interaction with the system. 

The three partial orders mentioned earlier can be exploited for moving to a 
component (answer, query, or source) that covers, or is covered by, the current 
component. Given a component x, let x + denote a component that covers x, 
and let x~ denote a component that is covered by x 3 . Note that there may not 
always exist a unique x + or a unique x~ . Specifically, we may have zero, one, or 
more :r + ’s and a; _ ’s for a given x. 

Let Up( x) denote a component among those greater than x and that the 
IM can compute (ideally Up(x) = a; + ), and let Doum(x ) denote a component 
among those less than x and that the IM can compute (ideally Down(x) = x~). 
Notice that these Up and Down functions correspond to 

— a query relaxation/contraction mechanism, if applied to Q, 

(i.e. [q —> Up(q)] and [q Down(q )]) 

3 An element x + covers an element x if x + > x and x + < x' for every x' > x. An 
element x is covered by an element x~ if x~ < x and x~ > x' for every x' < x. 




298 Y. Tzitzikas, C. Meghini, and N. Spyratos 



Such mechanisms have been proposed for several kinds of sources, including 
relational [6], semi-structured [4], taxonomy-based [11], Description-Logics- 
based [9,3] and Web sources [7]. 

— an answer enlargement/reduction mechanism, if applied to A, 

(i.e. [A Up(A)] and [A — > Down(A)]) 

— a source relaxation/ contraction mechanism, if applied to S 
(i.e. [5 — » Up(S)] and [5 — > Down(S)]). 

An example of such a mechanism for the case of taxonomy-based sources, 
founded on abduction, is described in [8]. 

These relative replacements can be used within context transition specifica- 
tions. At the user interface level, this means that the user can have at his/her 
disposal two buttons, ”Up” and ’’Down” for every component of the focal con- 
text. By pressing a button, the corresponding replacement is specified. Figure 1 
sketches such a user interface. The option control labelled ’’Change” allows the 
user to indicate to the IM the component (S, q, or A) that should be changed 
in order to reach the new context. Then, it is the task of the IM to try to reach 
a context, using the approach indicated by the user, and subsequently to deliver 
this context to the user. A CTS defined by a relative replacement will be called 
relative CTS. 



s ® “ 


0 

0 


A a 


— Change 


— 




o 


<D 


o 



q 

A 



< current query > 



< current answer > 



Fig. 1 . A user interface for specifying context transitions through relative replacements 



Below we enumerate all possible relative CTSs: 

(1) [q — > Up{q)/A ]: query relaxation resulting in answer enlargement 
[q — > Down(q) / A]: query contraction resulting in answer reduction 

(2) [S — > Up(S)/A]: source relaxation resulting in answer enlargement 
[S — > Down(S) / A\: source contraction resulting in answer reduction 

(3) [A — > Up{A)/q\. answer enlargement resulting in query relaxation 
[A — > Down(A) /q ]: answer reduction resulting in query contraction 
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(4) [5 Up(S)/q\: source relaxation resulting in query contraction 

[5 -A Down(S) / q\: source contraction resulting in query relaxation 

(5) [A — > Up(A)/S\: answer enlargement resulting in source relaxation 
[A — > Down(A) / S\: answer reduction resulting in source contraction 

(6) [q —> Up(q)/S\: query relaxation resulting in source contraction 

[q — > Down(q) / S]: query contraction resulting in source relaxation 

6 Restricting the Relative CTSs 

The three partial orders mentioned in Section 2 (and their interrelationships) 
can be exploited in order to restrict the set of relative CTSs to those for which 
the IM can indeed compute the target context. Below we describe how we can 
restrict relative replacements according to the CTS in which they appear. 

Up/Down on Sources 

As we saw earlier, source replacements appear in cases (2) and (4) of CTSs. 
In these cases, there is no need to restrict Up(S) or Down(S) because the IM can 
always find the target context. In particular, CTS (2) relies on query evaluation 
and CTS (4) on naming functions: 

(2) [5 —> S'/A](c) = (S', q, S'(q)), i.e. it relies on query evaluation 

(4) [5 —> S' /q](c) = (S', ns'(A), A), i.e. it relies on naming functions 

Up/Down on Answers 

Answer replacements appear in cases (3) and (5) of CTSs. CTS (2) relies on 
naming functions, while CTS (5) is still open: 

(3) [A A' /q\(c) = (S, ns(A'), A'), i.e. it relies on naming functions 

(5) [A A'/S](c) = ?, i.e. this is an open issue 

Note that we can restrict Up/ Down(A) so that to support CTS (3) even if 
naming functions are not available (or if they are available, but there is no exact 
name for A'). This can be achieved by defining: 

Up(A) = S(Up(q)) 

Doum(A) = S(Down(q)) 

In this way, the IM can find the target context without using any naming func- 
tion. i.e. 

(3R) [A -+ S(Up(q))/q](c) = (S, Up(q), S(Up(q))) 

[A — > S(Down(q))/q\(c) = (S, Down(q), S(Down(q))) 

Another interesting remark is that by restricting Up(A) or Down(A) the IM 
can support CTS (5). This can be achieved by defining Up(A) and Down(A) as 
follows: 



Up(A) = Up(S)(q) 
Doum(A) = Down(S)(q) 



In this way, the IM can find the target context: 
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(5R) [A Up(S)(q))/S}(c) = (i Up(S),q,Up(S)(q )) 

[A — > Down(S)(q)) / S](c) = (Down(S), q, Down(S)(q)) 

Up/Down on Queries 

Query replacements appear in cases (1) and (6) of CTSs: 

(1) [q —> q' /A\(c) = (S,q',S(q r )), i.e. relies on query evaluation 
(6) [q —> q'/S](c) = ?, i.e. this is an open issue 

CTS (1) relies on query evaluation, hence no restriction is needed. CTS (6) 
is still open but by restricting Up/ Down(q) the IM can support it, if naming 
functions are available. This can be achieved by defining Up(q) and Down(q) as 
follows: 



Up(q) = n Down ( S) (A) 

Down(q) = n Up{s) {A) 

In this way, the IM can find the target context: 

(6R) [q -> n Up(S ){A) / S]{c) = (Up(S),n Up ( S )(A),A) 

[q n Down (s){A) / S]{c) = {Dawn(S),n Down ( S ){A),A) 

In this section we showed how the IM can support all kinds of relative CTSs 
through restricted relative replacements. 

7 Concluding Remarks 

We introduced a unified formal framework which captures several interaction 
schemes between users and information systems. This unified view allowed us 
to describe more complex interaction mechanisms that those supported by the 
existing systems. The value of this unification is not only theoretical. It can be 
directly reflected in the interaction between the user and the information source, 
i.e in the user interface. 

Further research includes specializing the introduced framework for the case 
where the source is a taxonomy-based source (such as a Web Catalog), a rela- 
tional database, a semistructured database [1], or a Description-Logics database 
[5], 
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Abstract. Despite the fact that thousands of applications manipulate 
plans, there has been no work to date on managing large databases of 
plans. In this paper, we first propose a formal model of plan databases. 
We describe important notions of consistency and coherence for such 
databases. We then propose a set of operators similar to the relational 
algebra to query such databases of plans. 



1 Introduction 

Most of AI planning has focused on creating plans. However, the complemen- 
tary problem of querying a collection of plans has not been studied. Querying 
plans is of fundamental importance in today’s world. Shipping companies like 
UPS and DHL create plans for each package they have to transport. Multiple 
programs and humans need to query the resulting database of plans in order to 
determine how to allocate packages to specific drivers, to identify choke areas 
in the distribution network, and to determine which facilities to upgrade, etc. 
Likewise, every commercial port creates detailed plans to route ships into the 
port. Port officials need to determine which ships are on schedule, which ships 
are off schedule, which ships may collide with one another (given that one of 
them is off schedule) and so on. A similar application arises in the context of 
air traffic control - prior to takeoff, every flight has a designated flight plan and 
flight path. It is not uncommon for planes to be off schedule and/or off their 
assigned path. In other words, the plane may not be at the assigned location 
at the assigned time. Maintaining the integrity of air traffic corridors, especially 
in heavily congested areas (e.g. near Frankfurt or London airport), is a major 
challenge. Air traffic controllers need to be able to determine which flights are on 
a collision course, which flights are not maintaining adequate separation, which 
flights may intrude onto another flight’s airspace and when. 

These are just three simple applications where we need the ability to query 
collections of plans. We emphasize that in this paper, we are not interested in 
creating plans, just in querying them. The long version of this paper discusses 
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issues such as how to update databases of plans (which does involve some plan- 
ning) . 

In this paper, we develop a formal model of a plan database. We then 
describe two important properties of such databases - consistency and coher- 
ence and present results that these properties are polynomially checkable. We 
then present a relational-algebra style plan algebra to query plan databases. In 
addition to the relational style operators, our algebra contains operators unique 
to plan databases. 1 

2 Plan Database Model 

In this section, we introduce the basic model of a plan database. The concept of 
a plan is an adaptation of the notion of a plan in the well known PDDL planning 
language [4]. 

Definition 2.1. A planspace , VS, is a finite set of relations. A planworld 

pw over a planspace VS is a finite instance of each relation in VS. 

We use the standard notion of a relational schema and domain of an attribute 
when describing planspaces. There are certain special relations called numeric 
relations. 

Definition 2.2. A numeric relation in a planspace is a relation 

R(Ai,... ,A n ,V) where ,A n ) forms a primary key and V is of type 

real or integer. 

Note that a numeric relation R(Ai,... ,A n ,V) represents a function fn that 
maps dom(Ai) x ... x dom(A n ) dom(V). 

Example 2.1 (Package Example). A shipping company’s planspace may use the 
following relations to describe truck locations, truck drivers, packages and valid 
routes: 

• a.t( object, location ): specifies the location of drivers, trucks and package., 

• route (location 1, location2): specifies that there is a viable route from locationl 
to location2. 

• in(package, truck): specifies information about which truck carries which 
package. 

• driving (driver, truck): specifies who is driving which truck. 

• fuel (truck, level): a numerical relation specifying the fuel level of each truck. 



2.1 Actions 

In this section, we define two types of actions, simple actions that occur in- 
stantaneously, and clurative actions that take place over a period of time and 

1 Due to space constraints, we are unable to present operators to update plan 
databases. 
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possibly require certain conditions to be true during this time. A term over A,; 
is either a member of dom{A i ) or a variable over dom(Af). If R(Ai, . . . ,A n ) is 
a relation in a planspace and t,., (1 < i < n) is a term over A it then R(t i, . . . , t n ) 
is an atom. Likewise, if A,;, Aj are attributes, then A.; = Aj is an atom - if A,;, Aj 
are both attributes such that dom(Ai ) , dom(Aj) are subsets of the reals, then 
Ai < Aj , Aj < Aj,Ai > Aj and A, > Aj are atoms. If A is an atom, then A and 
-i A are literals. 

If R(Ai, . . . ,A n ,V) is a numeerical relation and S is a real number, then 
incr(R , 5), deer (R, 6) and assign(R, 6) are nu-formulas. These formulas say that 
the V column of R must be increased or decreased by (or set to) the value 5. 

Definition 2.3. A simple action w.r.t. a planspace VS is a 5-tuple consisting 

of 

• Name: A string a(Ai, . . . , A n ), where each Ai is a variable called a parameter 
of the action. 

• Precondition pre(a): a conjunction of literals over the planspace. 

• Add list add(a): set of atoms (denote what becomes true after executing the 
action). 

• Delete list del(a): set of atoms (denote what becomes false after executing 
the action). 

• Numeric update list update(a): set of nu-formulas. 

If Ci £ dom(Ai) for 1 < i < n, then a(c\, . . . ,c n ) is an instance of 
a(Ai, . . . , A„). As is standard practice in AI planning, we assume that all ac- 
tions are range restricted, i.e., that all variables appearing in the condition and 
effects are parameters of the action. Thus, each action is unambiguously specified 
by its name. 

A simple action is executed instantaneously (in 0 time) and its effects are de- 
scribed by its add list, delete list and update list. We assume the nu-formulas 
in the numeric update list are executed in the following order: all incr updates 
first, then all deer updates, and then all assign updates. 

Definition 2.4. Suppose aft) is an action instance. L(a(£)) denotes the set of 
all numerical variables updated by aft). R(a(t)) denotes the set of numerical 
variables read by aft) and L*(a(£)) is the set of all numerical variables whose 
value is being increased or decreased (but not assigned) by aft). 

A simple action instance aft) is executable in planworlcl pw if pre(aft)) is satis- 
fied by pw. The concept of mutual exclusion of actions specifies when two actions 
cannot co-occur. 

Definition 2.5. Two simple action instances aft) and (3(z) are mutually ex- 
clusive if any of the following hold: 

pre(a(t)) n ( add(/3(z )) U del((5(z))) A 0 pre((5(z)) fl ( add(aft )) U del(a(t))) ^ 0 
add(a(t)) fl del(/3(z)) A 0 del(a(t)) fl add(/3(z)) A 0 

!>(*)) n R(/?(z)) A 0 L (f3(z)) n R(a(t)) A 0 

L(a(t)) n L(/3(z)) /L*(a(f))nL*(/3(z)) 
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aft) and (3fz) are mutually compatible (i.e. they can occur at the same time) if 
they are not mutually exclusive. 

If A is an atom (resp. nu-formula, literal, conjunction of literals) and w £ 
{AtStart, AtEnd , Over All} then w : A is an annotated atom (resp. nu-formula, 
literal, conjunction of literals) . 

Definition 2.6. A durative action w.r.t. a planspace VS is a 5-tuple consist- 
ing of 

• Name: this is the same as for simple actions. 

• Condition condfa): set of annotated literals. 

• Add List addfa): set of w : A where A is an atom and w £ { AtStart , 
AtEnd}. 

• Delete list delfa): set of w : A where A is an atom and w £ {AtStart, 
AtEnd}. 

• Numeric update list updatefa): set of w : A where A is a nu-formula and 
w £ {AtStart, AtEnd} . 

Instances of durative actions are defined in the same way as for simple actions. 

An action instance is an expression of the form aft) for a vector t of the 
form (ci, . . . , c n ) that assigns a constant to each variable in the name. 

Example 2.2. We present a durative action, load-truck (p,t,l), which loads pack- 
age p into truck t at location l. 

• cond(load-truck(p,t , l)) = {atStart : at(p,l), at.Start : at(t,l), overAll : 
at(t,l)}. This says that when we start executing the load-truck(p,t,l) action, 
the truck and package should both be at location l and that throughout the 
execution of the load-truck action, the truck must be at location l (e.g. it 
cannot start moving during the loading operation). 

• addfload-truck(p,t,l)) = {atEnd : in-truck(p,t)} . This says that the atom 
in-truckfp, t) is true at the end of the loading operation. 

• del(load-truck(p,t,lf) = {atStart : at(p,l)}. Once we start executing the ac- 
tion, package p is no longer deemed to be at location l. 

• update(load-truck(p,t,l)) = {}. There is no numeric update to be performed. 

Other actions include unload-truck for unloading a package from truck, board- 
truck when a driver boards a truck, disembark-truck for disembarking the driver, 
and walk for displacing the driver on foot. 

2.2 Plans and Plan Databases 

In this section, we formally define a plan (and a plan database). Intuitively, a 
plan consists of a set of actions and constraints on the start and/or end times 
of actions. Due to space constraints, we use natural numbers to model time 
(formal calendars can be used with no difficulty). We use the variables st(a(t)) 
and et (aft)), respectively, to denote the start and end times of an action. 
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Note that any durative action aft) can be split into three simple action in- 
stances. a start (t) describes what happens at the start of the durative action. 
&intervai(t) is a simple action describing the conditions that must hold during 
the duration of the action (no changes occur during execution). a en d(t) is a sim- 
ple action describing changes at the end. We use SIMPLE(a(t )) to denote this 
set of three simple actions associated with aft). For aft) to be executable, the 
precondition of a s tartfb ) must hold when we start executing a and the precon- 
dition of a enr j{t) must hold at just before we finish executing. During execution, 
the precondition of ai n t e rvalft) must be true. We now state this formally: 

Definition 2.7. Suppose pwt denotes the planworld at time i. An action in- 
stance aft) is executable in a sequence of planworlds [pw 1 ,... ,pwk\ if all of 
the following hold: 

• a sta rt(t) is executable inpwi; 

• Vi, 1 < i < k, otinterval(t) is executable in pwt; 

• a en d{t) is executable in pwk; 

where k = et (aft)) 

Furthermore action instances aft) and (3(z) are mutually exclusive an action in 
SIMPLE(a(t)) and an action in SIMPLE((3(z)) are mutually exclusive and 
happen at the same time. 

Informally speaking, a plan is a set of action instances that are pairwise 
mutually compatible with each other and that are executed in accordance with 
some temporal constraints. We define execution constraints below. 

Definition 2.8. An execution constraint for an action aft) is an expression 
of the form st(a(i)) = c or et(a(t)) = c where c is a natural number. 

Definition 2.9. A plan w.r.t. a (finite) set A of actions is a pair ( A', C ) where 
A' is a set of action instances from A and C is a set of execution constraints 
w.r.t. actions in A'. 2 

A plan is definite if for all actions in A', there are two execution constraints 
in C, one for constraining the start time and the other constraining the end time. 

Goals. In AI planning, a plan normally is generated to achieve some goal that 
is represented as a set of literals g. Though we do not define goals explicitly, 
there is no loss of generality because each goal g can be encoded in the plan 
as a special action whose pre-condition is g and whose effects are empty. The 
duration of this action specifies how long the goal conditions should be protected 
in the plan world after the completion of the plan. 

We only consider definite plans in this paper, rather than allowing the start 
and end times of actions to vary. 

2 A minor problem here is how to handle plans in which the same action (e.g., re- 
fuel( truckl )) occurs more than once. An easy way to ensure that distinct action 
instances have a different names it to give each action instance an additional pa- 
rameter called an action identifier that is different for each distinct action instance, 
e.g., ref uel (truck l,instance01) and refuel(truckl,instance02). 
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Example 2.3. Suppose we have packages pi,P 2 at locations h,h respectively. We 
have one truck t\ at l\ and a driver d in it. We want to deliver pi and P 2 to 1$. 
One possibility is to load pi, then pick up P 2 , and then go to the destinations. 
Here, (A',C) is: 

• A 1 = { a\ = load-truck{p\,ti,h)-> °2 = drive-truck(ti,li,h,d), <23 = 
load-truck(j> 2 ,tiil 2 )> a 4 = drive-truck{t\,liAsid), a 5 = unload- truck{p\,t\ As) % 
ag = unload-truck(p 2 ,tiAs)} 

• C = (st(ai) = 1, et(ai) = 2, st(o2) = 3, et(a 2 ) = 5, st(a, 3 ) = 6, et{aA) = 7, 
st{a 4) = 8,ei(ci4) = 12, stfaA) = 13,et(a4) = 14, st(a±) = 13, et(aA) = 14} 

C indicates an intuitive order for a package: load, drive, unload. Notice that 
two unload operations are performed concurrently. 

Note that each action in a plan is an abstract realization of a physical process. 
For example, the action drive(tiAiA 2 ,d) is a syntactic representation of the 
physical action that a driver performs of driving from one place to another. Due 
to exogenous events, an action may not always succeed when carried out in the 
real world. 

Definition 2.10. A plan database is a 4-tuple (VS,pw, plans, now), where 
VS is a planspace, pw is the current planworld, plans is a finite set of plans 
and now is the current time. 

3 Consistency and Coherence of Plan DBs 

Not all plan databases are consistent. For example, if we have only 50 gallons 
of fuel at a given location at some time T, and two different plans each plan to 
use 40 of those 50 gallons at that location at time T, then we would have an 
inconsistency. Coherence, on the other hand, intuitively requires that the plans 
be executable: all plans in the database must, for example, have preconditions 
that are valid w.r.t. the other plans in the database and the initial planworld. 
To formalize these notions, we first introduce the concept of future planworlds. 

3.1 Future Planworlds 

Throughout this section, we let PLDB = {VS,pw, plans, now) be some arbi- 
trary but fixed plan database. We use S p i ans (i) (resp. E p i ans (i)) to denote the 
set of all actions in plans whose start (resp. end) time is i. I p i an s(i ) is the set 
of the actions that start before time i and end after time i. The set of active 
actions at time i w.r.t. a given set plans of plans is defined as: 

Active p i ans (i ) = 

(UaeSpiandd astort ) U (y)aGE plan3 (i) a end) [j (U aG J pioIls (j) Otinterval^ ■ 

Suppose plans is given, the current time is i, and the plan world at time i 
is pwi . What should the planworld at time fj+i be, according to plans? We use 
VWpian S (R) to denote the extent of relation R at time i w.r.t. plans. 
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Definition 3.1 (future planworlds). For all R, 

PWplansiR) = R 

VWl pians^ R ) = (' PWpians ( R ) - Del R (i, plans)) U Add R {i, plans), 
where Add R (i, plans) and Delpli, plans) are the set of all insertions and 
deletions, respectively to/from relation R by all actions in S f i ans (i) U P p ians(?’)- 
In the special case where R is a numeric relation, all tuples whose values are 
updated will be in Del R (i, plans) and Add R li, plans) will contain the updated 
tuples with the new values, v' . If a numeric variable is updated at time i by a set 
of concurrent plan updates, then its new value will be computed as the old value 
plus the sum of all increases and decreases. 

Assumptions. The above definition assumes that (i) when an action is success- 
fully executed, its effects are incorporated into the planworld one time unit after 
the action’s completion; (ii) all the actions in plans are successfully executable 
until information to the contrary becomes available; (iii) none of the actions are 
mutually exclusive with each other. 

We now formally define the concept of consistency. Intuitively, consistency 
of a plan database requires that at all time points t, no two actions are mutually 
exclusive. 

Definition 3.2. Let P be a set of plans, now be the current time and e be the 
latest ending time in P. P is consistent if for every t, now <t<e, Activeplt) 
does not contain any two simple actions that are mutually exclusive. 

The following algorithm can be used to check consistency of a set P of plans. 

Algorithm ConsistentPlans(P, now) 

L = ordered time points either at or one time unit before an action 
starts or ends in P; 
while L is not empty do 

t = First member of L\ L = L - {f}; 
if (3a, (3 € Activepit)) a and (3 are mutually exclusive 
then return false; 
return true. 

The reader can verify that the loop in this algorithm is executed at most 4n 
times, where n is the number of actions in P. Note that consistency of a plan 
database does not mean that the plan can be executed. To execute all the plans 
in a plan database, we need to ensure that the precondition of each action is 
true in the state (i.e. at the time) in which we want to execute it. The notion of 
coherence intuitively captures this concept. 

Definition 3.3. Suppose pw is the planworld at time now and P is a consistent 
set of plans. Suppose e is the latest ending time of any action in P. P is coherent 
iff for every now < t < e every simple action in Activepit) is executable in 
(Jp VWp(R) where pw = \J R PW n ^ N (R) . 

Clearly, we would always like a plan database to be both consistent (no conflicts) 
and coherent (executable). The following algorithm may be used to check for 
coherence. 




Plan Databases: Model and Algebra 



309 



Algorithm CoherentPlans)P , now ,pw) 

L = ordered time points either at or one time unit before an action 
starts or ends in P; 
while L is not empty do 

t = First member of L\ L = L - {f}; 
if (3a € Activep(t))pw ^=pre(a) then return false ; 
if (3 a,/3 € Active p)t)) a and (3 are mutually exclusive 
then return false ; 

pw = (pw - Del R {t , P)) U(Ur Add R (t , P)); 
return true. 

Goals. In AI planning, a plan normally is generated to achieve some goal that 
is represented as a set of lierals g. Though we do not define goals explicitly, 
there is no loss of generality because each goal g can be encoded in the plan 
as a special action whose pre-condition is g and whose effects are empty. The 
duration of this action specifies how long the goal conditions should be protected 
in the plan world after the completion of the plan. 

Suppose we already know a given plan database is consistent (coherent) , and 
we want to modify the set of plans in the plan database (but not the other compo- 
nents of the plan DB). The following two theorems provide sufficient conditions 
to check if the modified set of plans is consistent (coherent). 

Theorem 3.1. Suppose a plan database PLDB = (VS,pw, plans, now) is con- 
sistent. Let PLDB' = )VS,pw, plans', now). PLDB ' is consistent if 

• Actions) plans') C Actionsfplans) and 

• Constraints) plans') C Constraints (plans), 

where Actions) plans') is the set of all actions in all plans in plans' and 
Constraints) plans') is the set of all constraints in all plans in plans'. 

Theorem 3.2. We use the same notation as in theorem 1. Suppose a plan 
database PLDB = (VS,pw, plains, now) is coherent and plans' satisfies the 
conditions in Theorem 1. PLDB' is coherent if: 

1. Cond(plans') (~l Effects) plans — plans') = 0, or 

2. All actions in plans' end before any action in plans — plans' starts. 

Here Cond)P) is the set of preconditions of all actions in P and Effects(P) is 
the set of all the effects of all actions in P. 

4 Plan Database Algebra 

We now define a plan database algebra (PDA for short) to query plan databases. 
PDA contains selection, projection, union, intersection, and difference operators. 
In addition, we introduce a coherent selection operator cs and a coherent pro- 
jection operator cp which is used to ensure coherence properties. A new fast 
forward operator can be used to query the database about future states. Note 
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that this is different from a temporal database where future temporal states are 
explicitly represented. In a plan database, all we are given explicitly is that var- 
ious actions are scheduled to occur at various times, and need to reason about 
when these actions are performed and their effects in order to answer queries 
about future states. Just reading the database is not adequate. 

4.1 Future Plan Databases 

In order to achieve this goal, we first define the concept of future plan databases. 
Recall that in Section 3.1, we introduced “future planworlds”. This definition 
assumed that the plan database was coherent. However, this may not always be 
the case. Future plan databases describe the state of the plan database by pro- 
jecting into the future. We assume we start with a consistent (but not necessarily 
coherent) database. 

Definition 4.1. Suppose ( VS,pw, plans, now ) is a plan database and that the 
current time is now. The future plan database PossDB at time i for i > now 
is defined inductively as follows: 

1. For i = now; PossDB l ((VS,pw, plans, now)) = ( VS,pw, plans, now ) and 
plans* = plans. 

2. For i > now; Suppose 

PossDB l ~ l ((VS,pw, plans, now)) = ( PS, pie 1 ” 1 , plans* -1 , (* — 1) ). 

Then PossDB l ((VS,pw, plans, now)) = ( VS, pw l , plans*, * ), where: 

a) pw l = (pw l ~ 1 - Del R (i - 1 > plans * - 1 ) ) (J ((J R Add R (i - 1 , plans * - 1 ) ) . 

b) plans* = {( A, C) | ( A, C) £ plans* -1 , (A (~l C annot Start) = 0}} • 

c) CannotStart = {a \ a sub £ Active, sub £ {end, start, interval}, pud 
pre(a sub )}. 

d) Active = Active p i ans i-i(i) 

The above definition inductively defines the plan database at time i by con- 
structing it from the plan database at time (* — 1). 

4.2 Selection Conditions 

Before defining selection, we first need to define selection conditions. Suppose 
VS is some arbitrary but fixed planspace. As usual, we assume the existence of 
variables over domains of all attributes in the relations present in the planspace. 
In addition, we assume the existence of a set of variables Z\,Z^, . . . ranging over 
plans, a set Ai, A 2 , ... of variables ranging over actions, and a set V), Y 2 , . . . of 
variables ranging over tuples (of a planworld). A plan term is either a variable 
of any of the above three kinds, a constant of the appropriate kind, or of the 
form V.a where V is a variable of the above kinds and a is an attribute of the 
term denoted by V. If Hi ... . ,14 are all plan terms then ( V\, . . . , Vk ) is a plan 
term denoting a tuple. Terms denoting actions and plans have special attributes 
START and END that correspond to the start and end time of actions and plans. In 
addition, terms denoting actions have a special name attribute. In the following 
definition, we assume the existence of some arbitrary but fixed planspace. 
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Definition 4.2. Atomic selection conditions (ASCs) are inductively defined as 
follows: 

1. IfY is a tuple term and R is a relation, then Y £ R is an ASC. 

2. If P is a plan term and A is an action term, then A £ P is an ASC. 

3. If t\,t 2 are terms of the same type, then pt\ = pt 2 is an ASC. 

4- If t\,t 2 are terms of the same type and the type has an associated linear 
ordering <, then t\ opt 2 is an ARC, where op £ {<, <, >, >, <>}• 

Definition 4.3. A simple plan database condition (simple PDC) is inductively 
defined as: (i) every ASC is a simple PDC, and (ii) if X\,X 2 are simple PDCs, 
then so are (Xj A X 2 ) and (X\ V X 2 ). 

If X is a simple plan database condition and I is either a variable (over 
integers) or an integer, then the expression [/] : X is a plan database condition 
(PDC). 

The condition [/] : X holds if the condition X evaluates to true at time I in 
the underlying plan database. If / is a constant, then the PDC is called a time 
bounded expression. Otherwise, we say that the PDC is an unbounded expression. 

Definition 4.4 (satisfaction). Let X be a ground simple PDC and PLDB = 
( VS, pw, plans, now ) be a plan database. The satisfaction of all atomic selection 
conditions by a PLDB is defined in the obvious way. In addition, if p is a plan 
term, then PLDB satisfies p.END op c if for all actions a £ p, et(a) < now, 
z = max{e | et(a) = e, a € p} and z op c holds. Similarly, PLDB satisfies 
p.START op c if there is an action a € p such that st(a) < now, z = min{s | 
st(a) = s, s < now, a € p} and z op c holds. If a is an action term and p is a 
plan, then PLDB satisfies a G p if p £ plans, p = (A',C) and a £ A 1 . If a is an 
action term in plan p then PLDB satisfies a. START op c iff st(a) = s, s < now 
and s op c holds. Similarly, PLDB satisfies a. END opc iff et(a) = e, e < now and 
e op c holds. If R is a relation name then PLDB satisfies Y £ R succeeds for a 
tuple term Y iff tuple Y is in the relation R according to pw. Suppose i is an 
integer, PLDB satisfies [/] : X if and only if X is true in PossDB\PLDB). 
If [/] : X is a non-ground PDC then, PLDB satisfies [I] : X if there exists a 
ground instance [I] : Xy such that PLDB |= [I] : Xy. If [I] : X is an unbounded 
(i.e. I is a variable) PDC then PLDB satisfies [/] : X iff there exists an integer 
i such that PLDB |= [/] : X. 

As usual, we use the symbol |= to denote satisfaction. 

Example 4-1. To find all actions that finish before time 20, we can write 
(A. END < 20). To find all plans that will finish successfully, we can write 
[/] : (Z . END < /). In this expression, we want to find a time instance I where all 
plans in the database at time / finish successfully (before time I). 

The following algorithm finds all plans that successfully end before time i. 
The algorithm is useful if a plan database is not coherent. If the plan database is 
coherent, we know for certain that all the plans in the plan database will succeed 
unless an exogenous real world event intervenes (which would lead to a database 
update) . 
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Algorithm PlansSuccessfullyEnd(PDi?, i) 

Ans = 0; 

( VS,pw l , plans*, i) = PossDB\PDB)\ 

while plans 1 ^ 0 do 

Select ( A,C ) £ plans 1 ; plans* = plans* — {(A,C)}; 
if there is no a € A such that et(a) > i then Ans = Ans U {{A,C)} 
return Ans. 

It is easy to see that that above algorithm can be executed in time propor- 
tional to the number of plans in the plan database. 

4.3 Selection 

The selection operation finds all plans (and their associated information) that 
satisfy a specific condition. 

It is important to note that selection may not preserve coherence. For in- 
stance, suppose we have a database containing five plans pi,... ,p$ and suppose 
P11P21P3 satisfy the selection condition. Then these are the plans that the user 
wants selected. However, P2 may have actions in it that depend upon the prior 
execution of P4 (otherwise the preconditions of P2 may not be true) . Coherence 
would require that we add P4 to the answer as well. For this reason, we define two 
versions of the selection operator - ordinary selection which does not necessarily 
guarantee coherence, and coherent selection which would add a minimal number 
of extra plans to guarantee coherence. 

Definition 4.5. Suppose PLDB = ( VS,pw, plans, now) is a plan database 
and [/] : X is a PDC involving a plan variable Z . The plan selection operation, 
denoted by <J\r\-x PLDB(Z) = ( VS, pw, plans', now ), is computed as plans' = 

{(A,C) | (AC) where 

sol{Z) = {{A,C) £ plans | PLDB |= [/] : X/{Z = {A,C)} and 

fll' < I such that PLDB |= [/'] : X/{Z = ( A,C)}}. 

Proposition 4.1. If PLDB is consistent, then according to Theorem 1, 
a [jyx PLDB(Z) is also consistent. If PLDB is coherent and P[i]-.x PLDB(Z) 
satisfies either of the conditions in Theorem 2, then cr[/] : x PLDB(Z) is also 
coherent. 

Example f.2. Suppose we want to retrieve all plans in which a certain driver, 
say Paul, drives the truck. We can write the following plan selection query: 
a [i],x PLDB(Z) where X = {A = drive-truck (_, _ ,paul ) A A £ Z). 

Suppose the initial plan database PLDB , contains the following plans; 

• Pi = ({ai = board-truck(paul,ti,Ci),a2 = board-truck(paul,t\,C2), 

03 = board-truck(ted, t.2, C3)}, { st(ai) = 1, et(ai) = 3, st(a 2 ) = 9, et(a 2 ) = 11, 
st(a 3 ) = 1, et(a 3 ) = 3}) 

• P2 = {{04 = drive-truck(ti,ci,C2,paul),a5 = drive-truck(t.2,c\,C2,ted)}, 
{st(d 4 ) = 4, et(a 4 ) = 8,st(a 5 ) = 6,et(a 2 ) = 11}) 

• P3 = ({a6 = walk(paul,C2,C3)},{st(a e ) = 12,et(a 6 ) = 16}) 
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and the current time is 0. In this case, the above query returns only P 2 . However 
the plan database which contains just P 2 is not coherent at time 0 because at 
time 4, Paul will not be in truck t\ which is one of the conditions of action 04. 
The coherent selection operation will fix this. 

Example 4-3- Suppose we want to retrieve all plans in which the same driver has 
to deliver items to at least three different places. We can write the following plan 
selection expression: a[jy x PLDB(Z) where X = (Al = drive-truck { _, LI, D) A 
A2 = drive — truck(_, _, L2 , D) A A3 = drive — truck ( _, L3, D) A Al £ Z A A2 £ 
Z,AA3 £ Z AL1^L2AL1^L3AL2^ L3). 

4.4 Coherent Selection 

Selection is guaranteed to preserve consistency, but not coherence. Fortunately, 
we can restore coherence by using the algorithm ClosePlans below. The algo- 
rithm invokes a subroutine called Support ivePlans (P,F,t). For every action 
a £ F, Support ivePlans nondeterministically 3 selects a plan in P that con- 
tains an action (3 with an effect e which establishes the precondition of a. It also 
ensures that st(/3) (resp. et(/3) ) is less than t, if e is an effect of /3 sta rt (resp. (3 e nd)- 
Support ivePlans returns the set of selected plans. The algorithm is guaranteed 
to terminate if the input plan DB plans is coherent wrt pw and now. 

Algorithm ClosePlans (PS, pw, plans, now, plans') 
last = Latest ending time in plans 1 ; 
t = now; pwt = pw, 
while t < last do 

A = Active p i ans / ( t ) 
if A = 0 then 

pwt+i = pw t \ t= t+1; 
else if Va £ A,pw t |= pre(a) then 

pwt+l = pw t - Delplans' (t) + Addplans' (t)\ 
t = t + 1; 

else 

F = {a \a £ A,pwt pre(a)}; 

P = Support ivePlans (plans — plans', F, t); 
t = Earliest start time of actions in P; 
plans' = plans' U P 
last = Latest ending time in plans ’ ; 
return plans' 

We now define the coherent selection operator cs that guarantees coherence. 
Definition 4.6. Suppose PLDB = ( VS,pw, plans, now) is a plan database 
and [/] : X is a PDC involving a plan variable Z. The coherent selection 
operation, denoted by cspj.^ PLDB(Z) = (VS,pw, plans*, now), is given by: 

3 Note that any nondeterministic operation can be made deterministic by defining a 
linear order on all choices and simply choosing the choice that is minimal w.r.t. the 
linear order. Due to space limitations, we do not pursue this option here. 
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• ( VS,pw, plans', now ) = &[i]-.x PLDB(Z) 

• plans*= ClosePlans(7 : ’5,pw, plans, now, plans') 

Example 4-4- Let us return to Example 4.2, where we want to select all plans in 
which Paul drives. The coherent selection operation would return the plan DB 
containing both P 2 and Pi which will be coherent. 

4.5 Projection 

The projection operation selects plans which contain actions that satisfy a spe- 
cific condition. For a plan, only the actions that satisfy the conditions are kept, 
the others are removed from the plan. As in the case of selection, the coherence 
property may be violated after a projection. Later, we will introduce a coherence 
preserving projection operation that establishes coherence by reinserting some 
actions and/or plans removed during projection to reestablish the necessary co- 
herence property. 

Definition 4.7. Suppose PLDB = (VS,pw, plans, now) is a plan database 
and [/] : X is a PDC involving a variable A denoting an action. The action 
projection operation, denoted Etc PLDB(A) = (VS,pw, plans', now), is de- 
fined as: 

• plans' = {(A*,C*) | (A',C) £ plans, A* = {a \ a € A' and a £ 

sol(A)},C* = rest(C,A*)}, 

where 

• sol(A) = {a | ( A',C ) £ plans and PLDB f= [/] : X/{A = a} and 
fll' < I such that PLDB (= [/'] : X/{A = a}} U {a \ (A',C ) £ plans and 
st (a) < now}; 

• rest{C,A*)} = Uae.4* {all execution constraints for a in C}. 

We note that the action projection will return actions that satisfy the given 
conditions and started already. 

Proposition 4.2. If PLDB is consistent then so is II[jyxPLDB(A). If PLDB 
is coherent and iTm.^ PLDB(A), satisfies either of the conditions in Theorem 
2, then II[i]-.x PLDB(A) , is also coherent. 

Example 4-5. Suppose we want to retrieve plans only consisting of drive-truck 
actions. Specifically, we only want to keep those actions for which there exists, 
in their own plan, another delivery that has the same driver, and the second 
delivery happens after x time units. We can use the following plan projec- 
tion query: II[i]:x PLDB(A) where X = (Al = drive-truck(., D) A A2 — 
drive-truck(_, _, _, D) A Al ^ A2 A ef(Al) — et(A2) = x, A(A = Al V A = A2)). 
Example 4-6. Consider once more the selection query in Example 4.4. A pro- 
jection operation with the same condition on the same plan database will 
yield a plan database with the following single plan in it: P 2 = ({04 = 
drive{t\, C\, C 2 ,paul)}, 

{st(d 4 ) = 4, et(a 4 ) = 8 }). As explained earlier, <24 will fail because there is no 
driver in trucks. 
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4.6 Coherent Projection 

We now define a closed plan projection operator cp similar to the coherent 
selection operator. It will return the plans with actions that satisfy the selection 
criteria as well as the other actions needed to make the projected set of plans 
coherent. 

Definition 4.8. Suppose PLDB = ( VS,pw, plans, now) is a plan database 
and [/] : X is a PRC. The closed plan projection operation , denoted 
cp [j] ;X PLDB(A) = (VS,pw, plans*, now), is given by: 

• ( PS,pw, plans', now ) = PLDB(A , Z) 

• plans*= CloseActions(7 : ’5,pw, plans, now, plans') 

The definition of closed projection requires a CloseActions procedure 
which is a slight variation of the ClosePlans algorithm. Instead of calling 
Support ivePlans, it calls a SupportiveActions which is a slight variant of 
Support ivePlans: basically this procedure returns plans restricted to the sup- 
porting actions. The following example shows the use of the coherent projection 
operator. 

Example 4-7. Let us return to the case of Example 4.6 and use coherent projec- 
tion instead of projection. The resulting plan DB contains two plans: 

• P[ = ({ai = board-truck(paul, t\, Ci)}, {st(ai) = l,et(ai) = 3}), 

• P'i = ({«4 = drive-truck(ti, Ci, C 2 ,paul)}, {st(a^) = 4, et(<Z 4 ) = 8}). 

This database is coherent. Notice the difference between number of actions 
added by coherent selection and coherent projection. In the first case, the total 
number of actions added into the plan database is three whereas in the second 
case it is only one. This is because coherent selection includes a plan with all its 
actions, whereas coherent projection only includes the necessary actions. 

4.7 Fast Forward 

In this section we define the fast-forward operator which returns future states 
of a plan database that satisfy various PDC conditions. The fast forward opera- 
tion can be thought of as a projection operation into the future. Note however, 
that unlike a temporal database, we cannot look just at the relational state - we 
must also see how this relational state changes over time as the various actions 
in the plan database are executed according to the given schedule. 

Definition 4.9. Suppose PLDB = ( VS,pw, plans, now) is a plan database 
and [/] : X is a PDC. The fast forward of database PLDB with respect to [J] : 
x, is r [r] , X (PLDB) = PossDB 1 (PLDB), where / is the smallest integer such 
that PLDB |= [/] : X if such an I exists. If no such I exists, then Tj/] ; x(PLDB) 
is undefined. 

Proposition 4.3. If PLDB is consistent/ coherent and Pin. x (PLDB) is de- 
fined then rin-x(PLDB) is also consistent/coherent. 
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4.8 Union, Intersection, Difference 

In this section we describe the union , difference and intersection operations for 
plan databases. We first define the notion of union compatibility which simply 
states that the data in two plan worlds must have same values for the same nu- 
meric variables. The reason for this is that if one plan world says there 10 gallons 
of fuel, and another plan world says there are 20, then the union yields something 
claiming there are both 10 and 20 gallons of fuel which is problematic. Unlike 
intersection and difference, union does not necessarily preserve consistency even 
when the plan databases involved are union compatible. However, in Theorem 3 
below, we state some conditions that are sufficient to preserve consistency. Two 
databases (7^5, pw, plans, now) and (T-’iS, pit/, plans', now) are union compatible 
if every numeric variable / that is both in pw and pw' has the same value in 
both plan worlds. 

Definition 4.10. Let PLDBi = (T^cypwijplans^ now) and 
PLDB 2 = ( VS,pw 2 , plans 2 , now ) be two union compatible plan databases. 
Suppose the plans in plans 2 are renamed so that there are no plans with the 
same identifier in both databases. Then, the union of PLDBi, PLDB 2 , denoted 
PLDBi U PLDB 2 is given by 

PLDB\ U PLD B 2 = ( VS, pwi U pw 2 , plans 1 U plans 2 , now ). 

The following theorem states conditions guaranteeing consistency of the union 
of two union-compatible plan databases. 

Theorem 4.1. Suppose PLDBi nnd PLDB 2 are consistent. PLDB 1 UPLDB 2 
is consistent if\/(a £ Actions( plans-J,/? £ Actions (plans. 2 )) either of the fol- 
lowing holds: 

1. (Cond(a) U Effects(a)) f](C ond(/3) U Effects(P)) = 0; 

2. st (a) > et(/3) or st (/?) > et(a); 

where Acfions(plans) is the set of all actions of all plans in plans, Cond(a) is 
the set of conditions of a and Effects(a) is the set of all effects of a. 

Theorem 3 is intuitive. If any two actions that access the same atoms do 
not overlap in time, then they cannot be mutually exclusive because none of 
their simple actions will happen at the same time. Any other two actions with 
overlapping executions will not be mutually exclusive since they don’t modify 
the truth values of the same atoms. 

The intersection and difference between two plan databases can be defined 
analogously, but we omit the definitions due to lack of space. Note that union, 
intersection, and difference may not be coherent even if the input plan DBs are 
coherent. We can define coherent union, intersection and difference operators in 
a manner similar to the coherent selection and projection operators. 
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5 Related Work 

To date, there has been no other work on developing plan databases. We are 
aware of no formal query language for querying plans analogous to the relational 
algebra or relational calculus. However, there are two related areas: case based 
planning and temporal databases. 

The goal of case based planning [6] is to store plans in a “case base” so 
that when we need to solve a new planning problem, we can examine the case 
base and identify similar plans that can be modified to solve the new planning 
problem. Our goal in this paper is very different. We are interested in querying 
large databases of plans so that different applications can perform their tasks. 
Such applications involve logistics where a transportation company may wish 
to examine plans and schedules to determine how to allocate resources (using 
operations research methods perhaps) as well as to analyze traffic, as well as 
air traffic control where we wish to identify when and where aircraft will be 
in the future so as to avoid potential mishaps. Some important aspects of our 
framework and consistency and coherence of the database. In contrast, case 
based planners do not require consistency nor coherence because the case base 
is not a set of plans being executed; rather, it is a library and the queries to this 
library concentrate on similarity issues. 

There are also connections between our work and work in temporal databases 
[9,2]. In temporal relational databases, we have two kinds of time: transaction 
time and valid time. Transaction time databases store information about when 
a given tuple was inserted into a relation, when updates were made, etc. There- 
fore, such databases deal with past events, not future events. In addition, they 
only deal with actions that affect the database. In contrast, in planning, we deal 
with actions that are intended to be executed in the future, these actions have 
an effect on the real world, and these effects are represented in the database 
by making updates to the database at appropriate future time instances. This 
involves notions like coherence and consistency that are not relevant for trans- 
action time (notions of consistency associated with database locking are very 
different) . Valid time usually associates with an ordinary relational tuple, either 
a single time stamp, or a time interval. These denote the time when an event is 
true (or a time interval throughout which the event is true). Even though the 
start and end times of actions can be stored in a temporal database, temporal 
databases do not reason about the effects of these actions and allow queries that 
require reasoning about such effects. 

There are also a few pieces of work [5,3] involving non-deterministic time, 
in which one can make statements of the form “An event is valid at some time 
point in a given interval” (as compared to being true throughout the interval). 
Consistency here can be important [10,7]. Users might be interested in temporal 
queries such as “Find all events starting after some time t or after completion 
of some other event e.” Processing such queries requires checking consistency 
of temporal constraints. In such temporal constraint databases and query lan- 
guages, the temporal constraints used can be much more expressive than those 
used in our model. However, the purposes are very different. These works dis- 
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cuss the occurrence of events at time points in the future, but not about the 
fact that these events could be actions that have an impact on the world. As a 
consequence, they do not model the fact that their events can trigger updates 
to the database. Hence, there is no need in their frameworks for concepts like 
consistency, coherence, and closure introduced here, and our definitions of the 
algebraic operations are correspondingly different. 

6 Conclusions 

Many agencies and corporations store complex plans — ranging from production 
plans to transportation schedules to financial plans — composed of hundreds 
of “interlinked” plan elements. Such applications require not only that plans 
be created automatically, but also that they be stored in an appropriate data 
model, and that they be monitored and tracked during as they (i.e. the plans) 
are executed. To date, most work on plans has focused on the creation of plans. 

In this paper, we propose a data model for storing plans so that plans may be 
monitored and tracked. We propose the concept of a plan database and provide 
algebraic operations to query such databases. These algebraic operations extend 
the classical relational operations of selection, projection, join, etc. In addition, 
we provide algorithms to update sets of plans as new plans need to be added to 
the database, and as old plans are executed (and either adhere or do not adhere 
to their intended schedules). 

Much future work remains to be done on plan databases, and this paper 
merely represents a first step. Topics for future study include scalable disk- 
based index structures to query plan databases, cost models for plan algebra 
operations, equivalences of queries in plan databases, and optimizing queries to 
plan databases. 
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